SSO for Okta

This article provides a step-by-step explanation on how to configure SSO with Okta and babelforce through openID connect

Disclaimer: This integration with Okta is currently under development and is not available to customers yet.
Contact support@babelforce.com to learn more.
However you can configure SSO with openID connect via a custom application in okta already. See last section

1. Requirements

In order to configure the SSO settings in babelforce, you must have access to a User with the "manager" role in babelforce and administrator privileges in Okta.

2. Support Features

We support the following SSO features.

  • Service Provider (SP) Initiated 
  • Identity Provider (IdP) Initiated

3. Step-by-step configuration instructions

Note: After the babelforce.com template app is assigned to our dev account this section will be updated.

3.1 Prerequisites

  • You should know your company name  it is located in the babelforce manager application at "My Account" in "your-user@example.org" (top right corner) -> "Overview"
  • (optional) locate your well known openid-configuration file. https://${tenant}.okta.com/.well-known/openid-configuration 
  • (optional) note down your babelforce Access ID it is located in the babelforce manager application at "My Account" in "your-user@example.org" (top right corner) -> "Overview"

3.2 Choose babelforce.com template app from OIN cataloge and configure it

3.2.1 Search for the babelforce.com application

  • Browse app catalog

1_search_integration_1.png

 

  • Search for the integration by typing in "babelforce" and select the integration

blobid0.png

  • click on babelforce.com
  • add integration2_add_integration_1.png
  • enter an application name, for example babelforce.com SSO

2_add_integration_2.png

  • You created the babelforce.com SSO application and should end up on the "Assignments" page of the application. The application is not yet working, you still need to configure it.
  • On the assignments page you have to add users or user through groups that should be able to login via SSO.

3.2.2 Get configuration settings for the babelforce.com SSO application

  • Go to the Sign On section of the application.
  • Copy the Client ID and Client secret
  • Open the link for OpenID Provider Metadata

3_configure_1.png

 

3.2.3 Login into your babelforce manager account and go to "SSO settings"

Go to the Single-Sign-On Settings

3_configure_2.png

 

Fill the required information in the dialog and save.

blobid1.png


Site: enter the value issuer from 3.1. Prerequisites or from the OpenID provider metadata

Token Path: enter the value token_endpoint issuer from 3.1. Prerequisites or from the OpenID provider metadata

Auth Path: enter the value authorization_endpoint issuer from 3.1. Prerequisites  or from the OpenID provider metadata

Client ID: enter the client ID value from configuration data

Client Secret: enter the client secret value from configuration data

Principal Claim: depends on your usecase, for okta it is most likely email

Press save bottom right.

Redirect URI should be populated automatically

 

3.2.4 Get configuration data from babelforce.com

3_configure_4.png

  • locate your company name in Overview

3_configure_5A.png

3.2.5 configure the babelforce.com application on the okta side

  • go to the Sign On section
    • fill Redirect URI and Initiate Login URI with the values from the prior paragraph.

blobid2.png

  • Application username format select "email"
  • Press save

3_configure_7.png

Your okta application and babelforce.com should be configured for SSO now.

3.3 Add users to babelforce.com application on okta

Please add the users that are known to babelforce.com to the okta application for example via a babelforce.com group in okta.

 

3.4. Login via SSO

Go to the babelforce login page and switch to login with SSO
mceclip7.png

Enter your company name (see Prerequisites) in "Tenant" text box, press "Login with SSO" button

Note: only users that are known to babelforce and okta by the same email address will be able to login.

mceclip8.png

 

3.6 Troubleshooting, Known Issues and Tips

  • only users that are known to babelforce and okta by the same email address will be able to login.
    • Select email for the application username format on the babelforce.com SSO application in okta 
    • Enter email for the SSO configuration value claim in the babelforce.com
    • Add users to your babelforce.com SSO application in okta


4. Advanced setup, configure SSO via "Create App Integration" in Okta

This part of the guide allows you to setup a custom SSO App integration with okta. You need to have advanced knowledge of okta to make that work. It is not the recomended procedure.

This allows you to solve the following use cases

  • Multiple babelforce applications can be supported e.g. manager and babelconnect2
  • You can automatically add all your okta users to the app integration automatically

4.1. Prerequisites:

  • locate your well known openid-configuration file. https://${tenant}.okta.com/.well-known/openid-configuration
  • open that file
  • note down the values for the following 3 properties, you will need them on the babelforce side
    • issuer
    • authorization_endpoint
    • token_endpoint
  • note down your babelforce Access ID it is located in the babelforce manager application at "My Account" in "your-user@example.org" (top right corner) -> "Overview"
  • You should know your company name  it is located in the babelforce manager application at "My Account" in "your-user@example.org" (top right corner) -> "Overview"

4.2 login into your okta admin area

4.3 go to applications
mceclip0.png

4.4 create the app integration

mceclip1.png

4.4.1 Create new app integration dialog

Sign-in method: OIDC - OpenID Connect

Application type: Web Application

Press next

mceclip2.png

4.4.2. Fill out the form "New Web App Integration"

App Integration name: babelforce.com OIDC (or anything else you prefer)

Logo (Optional)

Client acting on behalf of a user (default): Authorization code

Sign-in redirect URIs:

${environment} needs to be replaced with the environment your account is on e.g. `services` for EU

${babelforce_access_id} the value you noted down earlier

Sign-out redirect URIs: empty

Assignment:

Press "Save" Button
mceclip3.png

4.5 Configure your babelforce.com account

4.5.1 You are send to this page by okta
mceclip5.png

Copy the client id and client secret.

4.5.2 Login into your babelforce manager account and go to "SSO settings"

Fill the required information in the dialog and save.
Site: enter the value issuer from 0. Prerequisites

Token Path: enter the value token_endpoint issuer from 0. Prerequisites

Auth Path: enter the value authorization_endpoint issuer from 0. Prerequisites

Client ID: enter the client ID value from 4.1.

Client Secret: enter the client secret value from 4.1.

Principal Claim: depends on your usecase, for okta it is most likely email

Press save bottom right.

Redirect URI should be populated automatically and should match your okta settings from 3.2. Sign-in redirect URIs


mceclip6.png
4.6 Login with SSO

Go to the babelforce login page and switch to login with SSO
mceclip7.png

Enter your company name (see 0. Prerequisites) in "Tenant" text box, press "Login with SSO" button

Note: only users that are known to babelforce and okta by the same email address will be able to login.

mceclip8.png

 

 

 

Have more questions? Submit a request