🌐Single Sign-On (SSO)

SSO services allow a user to use one set of login credentials to access multiple applications/SaaS.

This functionality is included in the "Enterprise" plan only.

Step 1

Click Admin as illustrated in the following screen:

Step 2

From the Okta Dashboard, click Add Application.

Step 3

ClickCreate New App, as illustrated below:

Step 4

In the following screen, ensure Web is selected as Platform. Select"SAML2.0" and click Create.

Step 5

Under the first step "General Settings", enter an application name (e.g.: “RandomCoffee”)and then click next.

Step 6

Under the second step “Configure SAML”, section A “SAML Settings”, enter the RandomCoffee service provider details which can be found on the SSO Setup page of your RandomCoffee organization, in the “Service Provider Details” section.

Now, download the encryption certificate by clicking “Download as file” at the end of the Service Provider Details section. You will upload this later in the Okta SAML configuration section, which is explained below.

In the following screen, click the Show Advanced Settings link to configure advanced SAML assertion settings.

Step 7

Configure the options as shown below. Ensure your field options reflect these values.

For the Encryption Certificate, upload the encryption file in the Encryption Certificate field shown above (remember, you downloaded the encryption file by clicking Download as a file link in the RandomCoffee Service Provider Details section earlier). Click Next to continue.

Step 8

Scroll down to the “Attribute Statements” section and add the following key-value pairs.

email → user.email
firstName → user.firstName
lastName → user.lastName

Step 9

Under the third step “Feedback”, select “I’m an Okta customer adding an internal app”, check “This is an internal app that we have created”, and then click Finish.

Step 10

Move over to the Sign On tab, and click the View Setup Instructions button.

The View Setup Instructions screen comes populated with values that you should copy and paste into the Identity Provider Details section.

Step 11

Copy the Identity Provider Single Sign-On URL, Identity Provider Issuer, and X.509 Certificate from the below screen.

And paste them in the corresponding sections of the Identity Provider Details screen as shown below:

Click Save Authentication.

Step 1

Browse to the Azure Active Directory >Enterprise applications.

Select “New application”.

Click on “Create your own application”, enter your application name (e.g.: RandomCoffee), and choose “Integrate any other application you don’t find in the gallery (Non-gallery)”.

Step 2

On the application overview page, click on “Set up single sign-on”.

You will arrive on the SSO configuration page.

In another window, please go to the RandomCoffee SSO configuration page: https://app.random-coffee.com/account/mycompanyname/admin/settings/integration/sso(replace“mycompanyname” in the URL with the slug you’ve been provided with when setting up your account with RandomCoffee Customer Success Team). You should see a page like this:

Go back to the Azure SSO configuration page. Go to section 1 “Basic SAML Configuration” and click on “Edit”:

Copy and paste the values from the RandomCoffee SSO configuration page to the Azure Basic SAML Configuration page:

Save

You should now see the Basic SAML configuration step filled in:

Step 3

Now go to section 2, “Attribute & Claims”. Click on“Edit”. First, edit the “Required Claim” by clicking on it:

Update the “Source attribute” setting to make sure “user.mail” is selected, and double check that the “Name identifier format” is “Email address”.

Save.

Now, edit the “Additional claims” by doing the following for each claim, referring to the “Value” visible on the Additional claims table:

Clicking on each claim will lead you to the edit window; please update as follows:

E.g. for “user.mail”:

Save.

Step 4

Now go to section 3, “SAML signing certificate”.

Download the “Federation Metadata XML”. Go to the RandomCoffee SSO configuration page and upload the file in the“Identity Provider details” section. The“Identity Provider SSO URL”, “Identity Provider Issuer” and “X.509 certificate” fields should automatically be filled.

On the same page, add a display name (e.g.: “Azure”), as well as IdP Domains. This is required if you want users to connect from https://app.random-coffee.com/login/, and not from Azure.“Display name” will update the button as users enter their emails with the domains specified in the IdP domains field:

Step 5

At the bottom of the Identity Provider Details on the RandomCoffee SSO configuration page, check the box “Automatically add new users using this authentication method to my team ”if you want users not yet created on RandomCoffee to be able to be created when they first login with Azure. If not checked, a user without an account on RandomCoffee trying to log in with SSO won’t be able to log in.

Step 6

On the RandomCoffee SSO configuration page, click on “Save Authentication”.

Step 7

On the Azure SSO configuration page, click on “Users & groups” in the sidebar. Assign specific users or groups to let them log into RandomCoffee. By going back to the SSO section, you can also live-test it with your account once you’ve been assigned to RandomCoffee.

You’re all set!

SSO implementation is available in the Enterprise plan only.

Step 1

Navigate to the Onelogin applications page, and click ADD APP, as illustrated below

Step 2

Search for SAML Test Connector in the Find Applications section. Select SAML Test Connector (IdP w/ attr w/ sign response) from the search results

Step 3

Update or rename the Display Name, and click SAVE.

Step 4

You are now in the Info tab. Click the Configuration tab. Enter your service provider details (which can be found on the configuration Identity provider page on your RandomCoffee platform) and the configuration here. Click SAVE to proceed.

Copy the Entity ID, and ACS URL from your service provider details and paste them into the corresponding fields. However, you need to copy this string ^https:\/\/app.random-coffee.com\/ and paste it into the “ACS (Consumer) URL Validator” field. Copy EntityID, Recipient, and ACS URL in *ACS (Consumer) URL, and set the ACS(Consumer) URL Validator to the value illustrated in the above screen.

Step 5

Navigate to the SSO tab in Onelogin and copy the Identity Provider SSO URL (Issuer URL), SAML 2.0 Endpoint (HTTP), and X.509 Certificate from here: Navigate the SSO tab in OneLogin and copy the Issuer URL as illustrated below:

Paste the metadata link in the browser and download the metadata file:

Step 6

Upload the metadata file in the Identity Provider Details page as illustrated below, Identity Provider SSO URL, Identity Provider Issuer, and X.509 Certificate will be automatically fetched & filled:

Add a display name & your company domains and save:

Select “Automatically add new users using this authentication method to my team" if needed, and click Save Authentication.

Step 7

Add the “first_name“ & “last_name“ fields as illustrated below:

Make sure “Include in SAML assertion“ is checked and click on Save:

Choose “First Name“ and Save:

Do the same for “last_name“.

Step 8

Go to the login page RandomCoffee | Log In | Bring your employees together, enter your email address, and a “Connexion with OneLogin“ button will appear. Click on it, You are good!

Please contact support@random-coffee.com if you have any questions.

PreviousHRIS integration NextCustom sending domain