Setup for Single Sign-On (SSO) access for Okta

1. Requirements

In order to configure the SSO settings in babelforce, you must have access to a User with the "manager" role in babelforce and administrator privileges in Okta.

2. Support Features

We support the following SSO features.

• Service Provider (SP) Initiated 
• Identity Provider (IdP) Initiated

3. Step-by-step configuration instructions

Note: After the babelforce.com template app is assigned to our dev account this section will be updated.

3.1 Prerequisites

• You should know your company name  it is located in the babelforce manager application at "My Account" in "your-user@example.org" (bottom left corner) -> "Overview"
• (optional) locate your well known openid-configuration file. https://${tenant}.okta.com/.well-known/openid-configuration 
  
  • tenant is your tenant id in okta for example https://dev-25542524-admin.okta.com/.well-known/openid-configuration
  • open that file
  • note down the values for the following 3 properties, you will need them on the babelforce side
    • issuer
    • authorization_endpoint
    • token_endpoint
• (optional) note down your babelforce Access ID, it is located in the babelforce manager application at "My Account" in "your-user@example.org" (bottom left corner) -> "Overview"

3.2 Choose babelforce.com template app from OIN cataloge and configure it

3.2.1 Search for the babelforce.com application

• Browse app catalog

• Search for the integration by typing in "babelforce" and select the integration

• click on babelforce.com
• add integration
• enter an application name, for example babelforce.com SSO

• You created the babelforce.com SSO application and should end up on the "Assignments" page of the application. The application is not yet working, you still need to configure it.
• On the assignments page you have to add users or user through groups that should be able to login via SSO.

3.2.2 Get configuration settings for the babelforce.com SSO application

• Go to the Sign On section of the application.
  
• Copy the Client ID and Client secret
• Open the link for OpenID Provider Metadata

3.2.3 Login into your babelforce manager account and go to "SSO settings"

Go to the Single-Sign-On Settings

Fill the required information in the dialog and save.

Site: enter the value issuer from 3.1. Prerequisites or from the OpenID provider metadata

Token Path: enter the value token_endpoint issuer from 3.1. Prerequisites or from the OpenID provider metadata

Auth Path: enter the value authorization_endpoint issuer from 3.1. Prerequisites  or from the OpenID provider metadata

Client ID: enter the client ID value from configuration data

Client Secret: enter the client secret value from configuration data

Principal Claim: depends on your usecase, for okta it is most likely email

Press save bottom right.

Redirect URI should be populated automatically

3.2.4 Get configuration data from babelforce.com

• copy the Redirect URI named babelconnect2
  • the url structure should look like https://apps.{babelforceEnv}.babelforce.com/{babelforceAppName}/user/sso/{babelforceAccessID}

• locate your company name in Overview
  
  
• copy your company name and create the following Initiate login URI https://apps.${babelforceEnv}.babelforce.com/manager/user/login?tenant=${babelforceCompanyName}&login=true
  • babelforceCompanyName you take from the overview page, if it contains spaces or any special characters you need to url encode the company name before putting it in the url above.
    E.g.: Your company name is "okta testing" than you should construct the following URI https://apps.${babelforceEnv}.babelforce.com/manager/user/login?tenant=okta%20testing&login=true note that you had to encode the space inbetween "okta testing" with %20.
  • babelforceEnv you can see that in your url bar of your browser or in the redirectURI on the SSO page. Basically anything in between of apps and babelforce.com. E.g.: https://apps.babelforce.com/manager/user/login there is nothing inbetween so you are on the main babelforceEnv and can leave it empty like so https://apps.babelforce.com/manager/user/login?tenant=${babelforceCompanyName}&login=true
• An example URL would look like that https://apps.babelforce.com/manager/user/login?tenant=okta%20testing&login=true ,note this example shows a url for the main babelforce environment and a company named "okta testing".

3.2.5 configure the babelforce.com application on the okta side

• go to the Sign On section
  • fill Redirect URI and Initiate Login URI with the values from the prior paragraph.

• Application username format select "email"
• Press save

Your okta application and babelforce.com should be configured for SSO now.

3.3 Add users to babelforce.com application on okta

Please add the users that are known to babelforce.com to the okta application for example via a babelforce.com group in okta.

3.4. Login via SSO

Go to the babelforce login page and switch to login with SSO

Enter your company name (see Prerequisites) in "Tenant" text box, press "Login with SSO" button

Note: only users that are known to babelforce and okta by the same email address will be able to login.

• only users that are known to babelforce and okta by the same email address will be able to login.
  • Select email for the application username format on the babelforce.com SSO application in okta 
  • Enter email for the SSO configuration value claim in the babelforce.com
  • Add users to your babelforce.com SSO application in okta