Configuring SSO with OKTA

• Single sign on (SSO) with OKTA will allow users in your organization to sign in to TeamRetro using their existing OKTA account - no need to create a separate TeamRetro account.

  Requirements

  • You must be an ORGANIZATIONAL OWNER in your TeamRetro organization

  • You must be an admin in OKTA

    Setup Instructions

    1. Open Single Sign on Settings in TeamRetro

  • Open TeamRetro
  • Browse to your ORGANIZATION page

  • Select the SETTINGS tab

    

  • Select SSO from the admin menu

    

    
    

  • Select ADD SAML IDENTITY

    

  • You will be presented with your TeamRetro service provider (SP) settings

    

  • Leave this window open for the moment - we'll need this information to complete the configuration of the TeamRetro app in OKTA.

    2. Configure Single Sign-On in OKTA

  • Once you log in, click on Applications on the side panel

    

  • On that page, select Create App Integration

    

  • In the "Create a New Application Integration" dialog:

    • Select: SAML 2.0

      

      
      
  • Click Next
  • On the Create SAML Integration, General Settings screen
    • Enter "App name": TeamRetro

    • Upload the TeamRetro logo (you can download the one below)

      

      

  • Click NEXT
  • On the Create SAML Integration , Configure SAML screen, complete the GENERAL form
    • Single sign on URL: [copy the ACS URL from the TeamRetro tab]
    • Check "Use this for Recipient URL and Destination URL"
    • Audience URI (SP Entity ID): [copy the SP Entity Id from the TeamRetro tab]
    • Select "Name ID format": EmailAddress

    • Select "Application username": Email

      

  • On the "Attribute Statements (Optional)" section, add the following entries
    • firstName [Unspecified] user.firstName
    • lastName [Unspecified] user.lastName

    • email [Unspecified] user.email

      

      For a full list of supported SAML attributes please see TeamRetro Supported SAML Attributes

  • On the "Create SAML Integration" page

    • Click NEXT

      

  • On the "Feedback" page

    • Select the following options as below:

      

    • click FINISH

      

  • On the "Sign On" tab, scroll down to the SAML Signing Certificates section:

    

  • Click on the Actions drop down menu next to the certificate, followed by "View IdP metadata". Right-click on the page that opens up and click on "Save as". Save the page as okta-idp-metadata.xml.

    3. Configuring Single Sign On in TeamRetro

    Back in  TeamRetro, it's time to add your OKTA Identity Provider (IdP) details.

  • Under "Identity provider settings (IdP)", click "Upload Metadata"

    

  • Find and open the "okta-idp-metadata.xml" file you downloaded from OKTA a few minutes ago. If successful, the "IDP ENTITY ID", "LOGIN URL", and "SIGNING CERTIFICATE" fields should automatically be populated.

    

    
    
  • Toggle the identity provider to ENABLED
  • Click SAVE CHANGES

  • Click TEST

    

  • In a new window, you will be redirected to your identity provider to sign in. If you are redirected back to TeamRetro your configuration has succeeded. If you encounter any errors or warnings; please contact  info@teamretro.com and we'll help you out.

    What's Next

  • You will now be able to access TeamRetro along with your other OKTA applications... no sign in required!

  • When you invite your team to join you in TeamRetro, they will be presented the option of signing in with your organization's SSO