Skip to main content

Configuring Okta SAML authentication

Omni supports service provider (SP)-initiated SAML authentication with Okta. When enabled, users in your organization can log into Omni using their Okta credentials.

Requirements

To follow the steps in this guide, you'll need:

  • Omni Organization Admin permissions
  • Permissions in Okta that allow you to:
    • Access the Admin console
    • Add & configure Okta applications

Limitations

  • User sessions will expire after 24 hours. This is not currently configurable.
  • Useres will not be able to click the Omni tile in Okta to log in. This is because Omni's current integration with Okta is not Identity service provider (IdP) initiated, but SP-initiated.

1. Add the Omni application in Okta

  1. Log in to your Okta Admin console.

  2. Navigate to Applications > Applications > Browser App Catalog.

  3. Search for the Omni Analytics application.

  4. Click Add integration.

  5. On the page that displays, enter your Omni subdomain. For example, if you log in to https://blobsrus.omniapp.co, you would enter blobsrus.

  6. Click Save.

2. Retrieve Okta Omni application details

Navigate to the Okta Omni application and then complete the following:

  1. In the Okta Omni application, open the Sign on tab.

  2. In the SAML 2.0 section, click More details:

  3. Keep this section open - you'll need the Sign on URL, Issuer, and Signing certificate handy to complete the next step.

3. Assign yourself to the Omni application

In this step, you'll assign the Okta Omni application to yourself. This will allow you to test the setup in Omni before rolling everything out to your organization.

  1. In the Okta Omni application, open the Assignments tab.
  2. Click the Assign button, then Assign to people.
  3. In the dialog that displays, click the Assign link next to your user.
  4. You'll be directed to confirm details about the user, including the email address and display name. Modify these settings as needed.
  5. When finished, click Save and Go back.
  6. Click Done.

4. Configure Omni authentication settings

In Omni, navigate to Settings > Authentication to complete the setup:

  • Entity ID / Issuer - Copy and paste the Issuer value from Okta

  • SSO (Sign on) URL - Copy and paste the Sign on URL value from Okta

  • Certificate - Use the Copy button next to the Certificate field in Okta, then paste the contents in Omni.

    warning

    The certificate must include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, for example:

    -----BEGIN CERTIFICATE-----
    [Your Okta certificate contents]
    -----END CERTIFICATE-----

    After you paste the certificate into Omni, add these values above and below the certificate so that it looks like the above example.

  • Enable SAML login - Toggle this setting to on to enable SAML authentication

When finished, click Save SAML changes.

Omni authentication settings page

5. Test the setup

Test your SAML setup by logging out of Omni. On the Omni login page, you should see a Log in with SAML button. Click the button to log in using SAML.

6. Assign users to the Okta Omni appication

Looking to assign user groups?

User groups can be pushed from Okta to Omni using SCIM. Check out the Okta-Omni SCIM guide for more information.

Once you confirm everything is working as expected, you can assign the Okta Omni application to other people and groups in your organization. Not sure what permissions to use? Refer to the Connection permissions guide for more information.

In Okta:

  1. In the Okta Omni application, open the Assignments tab.
  2. Click the Assign button, then Assign to people.
  3. In the dialog that displays, click the Assign link next to the user.
  4. You'll be directed to confirm details about the user, including the email address and display name. Modify these settings as needed.
  5. When finished, click Save and Go back.
  6. Click Done.

Users will now be able to navigate to Omni in their browser and use SAML to log in.

What's next?

Setting up SAML allows your users to authenticate to Omni using their Okta credentials. With this setup completed, you can also: