Configuring SSO with OKTA
Single sign on (SSO) with OKTA will allow users in your organization to sign in to TeamRetro using their existing OKTA account - no need to create a separate TeamRetro account.
- You must be an admin in your TeamRetro organization
- You must be an admin in OKTA
1. Open Single Sign on Settings in TeamRetro
- Open TeamRetro
- Browse to your Organization page
- Select the Settings tab
- Select Single Sign On from the admin menu
- Select Add SAML Identity Provider
- You will be presented with your TeamRetro service provider (SP) settings
- Leave this window open for the moment - we'll need this information to complete configuration of the TeamRetro app in OKTA.
2. Configure Single Sign On in OKTA
- In your OKTA admin dashboard, select Add Application
- Click the Create New App button
- In the "Create a New Application Integration" dialog:
- Select "Platform": Web
- Select "Sign on method": SAML 2.0
- Click Create
- On the Create SAML Integration, General Settings screen
- Enter "App name": TeamRetro
- Upload the TeamRetro logo (you can download the one below)
- Click Next
- On the Create SAML Integration, Configure SAML screen, complete the GENERAL form
- Single sign on URL: [copy the ACS URL from the TeamRetro tab]
- Check "Use this for Recipient URL and Destination URL"
- Audience URI (SP Entity ID): [copy the SP Entity Id from the TeamRetro tab]
- Select "Name ID format": EmailAddress
- Select "Application username": Email
- In the "Attribute Statements (Optional)" section, add the following entries
- firstName [Unspecified] user.firstName
- lastName [Unspecified] user.lastName
- email [Unspecified] user.email
- On the "Create SAML Integration - Feedback" page
- Click Next
- On the OKTA TeamRetro Application Configuration page
- Right click Identity Provider metadata and select Save Link As... to download your IdP metadata to your computer - you'll need this in a moment. Save the file as okta-idp-metadata.xml
3. Configuring Single Sign On in TeamRetro
Back in TeamRetro, it's time to add your OKTA Identity Provider (IdP) details.
- Under "Identity provider settings (IdP)", click "Upload Metadata"
- Find and open the "okta-idp-metadata.xml" file you downloaded from OKTA a few minutes ago. If successful, the "IDP ENTITY ID", "LOGIN URL", and "SIGNING CERTIFICATE" fields should be automatically be populate
- Toggle the identity provider to ENABLED
- Click SAVE CHANGES
- Click TEST LOGIN
- In a new window,You will be redirected to your identity provider to sign in. If you are redirected back to TeamRetro your configuration has succeed. If you encounter any errors or warnings; please contact email@example.com and we'll help you out.
- You will now be able to access TeamRetro along with your other OKTA applications... no sign in required!
- When you invite your team to join you in TeamRetro, they will be presented the option of signing in with your organization's SSO