SSO Overview
Requirements:
- Active Emtrain account
- Active Okta account
- Any user who will be signing into Emtrain via Okta SSO must have an email address
- Email addresses must be unique per user (e.g. this integration cannot be used if multiple users share the same email address)
- The user must have the Emtrain SSO app assigned/available to them in Okta
- The user must have a User Profile set up in Emtrain
How does this work?
When a user signs into their Emtrain account via Okta SSO, the following chain of events occurs:
- The user accesses the “App Embed URL”, an Okta URL. The user can access this link in 2 ways:
- By clicking on the Emtrain tile in their Okta user portal.
- When the user goes to their account’s home page on Emtrain, they are automatically re-directed to the App Embed URL and sent through the SAML authentication process.
- Okta then checks if the user has a active, valid Okta session. If they do not, they are prompted to log into their Okta account. Once the user has a active, Okta sends a request with some authentication and user information (the “SAML Assertion”) to Emtrain.
- Emtrain validates the following 3 items when the SAML Assertion is received from Okta:
- API key/Account ID
- Okta x.509 certificate
- User Email
- If the user email on the SAML assertion corresponds to a user on your Emtrain account, the user is logged in.
- If the user email on the SAML assertion does not correspond to a user on your Emtrain AI account, an error message is displayed.
- Optionally, you can request your Emtrain account be enabled for Self-Signup which allows for a user to be created on your Emtrain account with the First Name, Last Name and Email Address from the SAML assertion.
Configuration and setup
Before getting started, obtain:
- Your Emtrain account's subdomain. This is located in the Manage dashboard under the Site Config heading. It is also the first part of the address you use to visit Emtrain, the bolded section in this example: https://example.app.emtrain.com/home.
- The API key for your Emtrain account (obtain this by navigating to the Site Config area of the Manage Tools and choose the Integration tab and Enable SSO).
Once you have those two items, you can create the Okta portion of the SSO application.
Setup in Okta
- Log into Okta admin area. (Note: If in “developer console” area, please switch over to the “Classic UI” section)
- Click the Applications link, select Applications from the menu, then click the Add Application button. Click the Create New App button.
- In the Create a New Application Integration dialog, use the default selection of “Web” for Platform, and select SAML 2.0 as the Sign on method. Click the Create button.
- On the General Settings dialog, enter Emtrain as the App Name and upload the attached logo file. Click the Next button.
- On the Configure SAML dialog, enter the following values in the General section of A. SAML Settings. For any Emtrain URL listed here, replace the "example" portion of the URL with your account's subdomain. When inserting your API key, do not wrap the key in brackets.
- Single sign on URL: https://example.ai-api.emtrain.com/authentication/saml?key={account API key}
- Leave Use this for Recipient URL and Destination URL checked
- Audience URI (SP Entity ID) Use the Single Sign On URL here: https://example.ai-api.emtrain.com/authentication/saml?key={account API key}
- Default Relay State: https://example.app.emtrain.com/saml
- Name ID Format: Use the default value of Unspecified
- Application Username: Email
- Update application username on: Use the default value of Create and Update.
- On the Configure SAML dialog, enter the following values in the Attributes Statement section of A. SAML Settings.
- Add a new attribute, API_KEY
- Name: API_KEY
- Format: Basic
- Value: Your Emtrain account’s API key
- Add a new attribute, Email
- Name: Email
- Format: Basic
- Value: user.email (select the user.email value in the dropdown menu)
- Add a new attribute, FirstName
- Name: FirstName
- Format: Basic
- Value: user.firstName (select the user.firstName value in the dropdown menu)
- Add a new attribute, LastName
- Name: LastName
- Format: Basic
- Value: user.lastName (select the user.lastName value in the dropdown menu)
- Add a new attribute, API_KEY
- In section B, Preview the SAML assertion generated from the information above, click the <> Preview SAML Assertion button, and verify that the SAML Assertion XML contains the SSO URL (in the Recipient element), and the 4 attributes you created in step 6.
- When you have finished validating the SAML Assertion XML, click the Next button.
- Select the “I'm an Okta customer adding an internal app” option and click the Finish button.
- In the Emtrain application page, click on the Sign On link, and click the View Setup Instructions button.
- On the How to Configure Saml 2.0 for Emtrain Application page, copy the Identity Provider Single Sign-On URL (1) and copy or download the X.509 Certificate (3). You will need to populate these values into your Emtrain account to complete the setup and configuration of the SSO integration.
This completes the configuration of the Okta portion of the integration.
Setup in Emtrain
To complete the integration, navigate to the Integration tab under Site Config and select Enable SSO then choose Okta SSO under the Provider dropdown.
Add the x.509 Certificate and SSO Entry Point to the following boxes, then click Save. Be sure you REMOVE the "----BEFORE CERTIFICATE----" and "----END CERTIFICATE----" when adding your certificate to the field. The SSO Logout Redirect URL is optional and may be left blank.
Validating your setup
Once both sides of the integration are set up, testers at the client’s organization can validate that the integration functions properly.
Test
Verify that the user is logged into Emtrain if the user exists in both Okta and Emtrain (email address must be the same on both platforms)
- Test user logs into Okta portal and clicks Emtrain tile. User should see a “Signing into Emtrain” page, and then see their Emtrain learner portal. Their name should be present in the upper left corner (for desktop users) or in the Update Profile section (for tablet/mobile users).
- Test user logs into Okta. In a new browser tab without an active Okta session, open the account’s Home URL (https://{my account name}.app.emtrain.com/home). The user should be re-directed to an Okta login page, on Okta’s domain. Upon a successful login with the user’s Okta credentials, the user should be redirected to their Emtrain home portal.
Test 2 (Only if Self-Signup Enabled)
Verify a user is created in Emtrain if the user exists in Okta and has Emtrain SSO app assigned to them, but the user doesn’t exist in Emtrain AI:
- Create a test user in Okta and assign the Emtrain app to the test user. Do not create an user for this test user.
- Log in to the test user’s Okta portal and click the Emtrain tile.
- The user should be logged into Emtrain as a new user created with the First Name, Last Name and Email Address passed to Emtrain in the SAML Assertion.
- Log into the Emtrain Manage dashboard and click on the Users link. You should see the newly created user on the users list.
FAQs
Can Okta provision new Users? Yes, we can set your Account to be able to provision Users as they login thru the Okta tile. Please advise your Implementation Specialist if you prefer to have the Just In Time (JIT) provisioning.