Create/configure Okta Account and Okta Application
You may skip this section if you already have your okta org url, client ID and client Secret
- sign up today
- fill in email, name and create domain - and then follow instructions (email confirmation, set password)
- log in to the domain you just created (e.g. https://emailxxxx.okta.com)
- click "Applications" in the menu, than "Add Application" button, than "Create New App" button
- platform "Web", Sign on method: "OpenID Connect", click "Create"
- choose some Name, set Login redirect URI to "https://api.mypay.management/v1/ext-auth-callback", click Save
- now Okta Application is created. At "General" tab you will find "Client ID" and "Client secret" - these are important for MyPay setup
- if you want to access MyPay from Okta, see "Access MyPay from Okta" chapter below
Users that will login to MyPay using Okta need to be assigned to the Okta application you just created:
- in Okta dashboard menu go to "Directory" → "People"
- click one, in Application tab click "Assign Application" and assign him the created application
Configure 3rd party authentication provider (Okta) in MyPay
You will need:
- okta domain/url
- okta application Client ID
- okta application Client secret
- Login to MyPay as admin
- go to "Setup" → "External Authetication Provider" in menu, click "Create"
- choose a name
- Type: OKTA
- set URL where user will be redirected to login: "https://<your-domain>.okta.com/oauth2/v1/authorize"
- Client ID: copy client id from your Okta application
- Client secret: copy client secret from your Okta application
- save the new configuration
- After the save you will see the field "Login URL" populated with an URL. Admin must provide this URL to all users that should authenticate to MyPay using Okta.
Users must use this URL - the standard username/password authentication at MyPay login page will not work!
How users can use Okta login
Note: Employee record must exists in MyPay for the user to be able to login to MyPay using Okta. Login will fail if Employee record does not exist.
To login to MyPay using Okta, users can just navigate to the "Login URL" of the external authentication provider.
You can find it in: "Setup" → "External Authentication Provider" → select your authentication provider → Login URL
Users should get this URL from the administrator.
Access MyPay from Okta
Users can also access MyPay from Okta using Okta chiclets.
To configure MyPay chiclet in Okta, use setting highlighted in the screenshot below.
In the "Initiate Login URI" field you need to set your own "Login URL" from the MyPay external authentication provider settings.
There is an improvement filed ESS-886 to put the Okta redirect link directly to login page.
- What happens when user logins to MyPay with Okta
a) if user does not exist in MyPay new user record will be created (email, first and last name will be taken from Okta)
b) new MyPay session is created. The session behaves the same way as if user logins directly to MyPay without Okta
c) note that Employee record must exists before login
- Is MyPay user signed-out of MyPay when the Okta user is signed-out of Okta?
No. In that sense Okta is not full SSO for MyPay. MyPay only uses Okta to authenticate the user.
- Can user coming from Okta also login to MyPay using the standard MyPay login form?
- Can one company have more than one authentication providers?
Yes. Any number, any kind (Okta, Salesforce, ...)
- Apart from Okta (and Salesforce) can we add more 3rd party authentication providers?
Yes. The implementation is based on OpenID protocol, so any identity provider supporting this protocol should be configurable as MyPay authentication provider. Well, it need to be tested, for now it's just a theory.
- What about Salesforce as authentication provider?
Currently Salesforce authentication is in experimental mode. There is ESS-695 to make and test Salesforce as general authentication provider for MyPay
- Which URL link should I use in MyPay email notification templates for users authenticated by Okta?
Use the "Login URL" of the External Authentication Provider.
Note that this URL will redirect users to their MyPay home page (no deep links supported now)