Configuring SSO with OKTA
Single sign on (SSO) with OKTA will allow users in your organization to sign in to TeamRetro using their existing OKTA account - no need to create a separate TeamRetro account.
- You must be an admin in your TeamRetro organization
- You must be an admin in OKTA
1. Open Single Sign on Settings in TeamRetro
- Open TeamRetro
- Browse to your ORGANIZATION page
- Select the SETTINGS tab
- Select SINGLE SIGN ON from the admin menu
- Select ADD SAML IDENTITY
- You will be presented with your TeamRetro service provider (SP) settings
- Leave this window open for the moment - we'll need this information to complete the configuration of the TeamRetro app in OKTA.
2. Configure Single Sign-On in OKTA
- In your OKTA admin dashboard, select ADD APPLICATION
- Click the CREATE NEW APP button
- In the "Create a New Application Integration" dialog:
- Select "Platform": Web
- Select "Sign on method": SAML 2.0
- Click CREATE
- On the Create SAML Integration, General Settings screen
- Enter "App name": TeamRetro
- Upload the TeamRetro logo (you can download the one below)
- Click NEXT
- On the Create SAML Integration, Configure SAML screen, complete the GENERAL form
- Single sign on URL: [copy the ACS URL from the TeamRetro tab]
- Check "Use this for Recipient URL and Destination URL"
- Audience URI (SP Entity ID): [copy the SP Entity Id from the TeamRetro tab]
- Select "Name ID format": EmailAddress
- Select "Application username": EMAIL
- In the "Attribute Statements (Optional)" section, add the following entries
- firstName [Unspecified] user.firstName
- lastName [Unspecified] user.lastName
- email [Unspecified] user.email
For a full list of supported SAML attributes please see TeamRetro Supported SAML Attributes
- On the "Create SAML Integration - Feedback" page
- Click NEXT
- On the OKTA TeamRetro Application Configuration page
- Right-click IDENTITY PROVIDER METADATA and select SAVE LINK AS... to download your IdP metadata to your computer - you'll need this in a moment. Save the file as okta-idp-metadata.xml
3. Configuring Single Sign On in TeamRetro
Back in TeamRetro, it's time to add your OKTA Identity Provider (IdP) details.
- Under "Identity provider settings (IdP)", click "Upload Metadata"
- Find and open the "okta-idp-metadata.xml" file you downloaded from OKTA a few minutes ago. If successful, the "IDP ENTITY ID", "LOGIN URL", and "SIGNING CERTIFICATE" fields should automatically be populated.
- Toggle the identity provider to ENABLED
- Click SAVE CHANGES
- Click TEST LOGIN
- In a new window, you will be redirected to your identity provider to sign in. If you are redirected back to TeamRetro your configuration has succeeded. If you encounter any errors or warnings; please contact firstname.lastname@example.org and we'll help you out.
- You will now be able to access TeamRetro along with your other OKTA applications... no sign in required!
- When you invite your team to join you in TeamRetro, they will be presented the option of signing in with your organization's SSO