Setting up Corporate Login/SSO for TrueContext using Okta

Available on the Intelligent and Elite tiers:

Digital
Intelligent
Elite
?

Contents

About

This article is specific to configuring Okta as a corporate login identity provider (IdP). It expands on what is discussed in the general corporate login article here.

Setting up Okta for use with TrueContext

Follow the steps below to set up Okta for use with TrueContext.

Info:We’re now TrueContext.
  • To support existing integrations, some items will continue to use “prontoforms” or “pf” in the domain or code.

Create an Application in Okta

  1. Set the Platform to "Web"
  2. Set the Sign on method to "SAML 2.0"
  3. On General > App Settings, specify an Application Label (for example, TrueContext).
  4. In the Configure SAML Settings:

Get your SP Entity ID

The SP Entity ID identifies your TrueContext tenant to Okta. This value is specific to your tenant, so you read it from the TrueContext service provider (SP) metadata file.

  1. Open the TrueContext SP metadata file at <SP metadata URL>.
  2. Find the entityID attribute on the md:EntityDescriptor element.
  3. Copy the entityID value. You enter this value as the Audience URI (SP Entity ID) in the previous step.

The entityID value has the following format, where the final segment is your tenant ID:

https://prontoforms.com/prod/<your-tenant-id>
Note:Enter your full tenant-specific Entity ID, including the tenant ID segment. A partial value, such as prontoforms.com/prod, doesn't match your tenant and causes login to fail.

Download the Identity Provider (IdP) Metadata from Okta

  • Download the identity provider metadata xml from Okta by selecting the Sign on tab, then select Identity Provider metadata:

  • Save this file for use in the next section.

Set Up Corporate Login in TrueContext

  • Within live.prontoforms.com, navigate to the security tab and select Update within the Single Sign-on menu:

  • Provide a Team domain name. This is typically just your corporate domain name.
  • Specify a problem contact email
  • Optional: Specify a Username suffix. This is only required if you need to add a suffix to the username returned by Okta so that it matches the username within live.truecontext.com. As an example, if Okta is configured to send just the username prefix (for example, jsmith), but the TrueContext username is jsmith@acme.com, specify @acme.com as the username suffix. However, if Okta is configured to send the username as the user’s email address, and the TrueContext username is also the email address, leave the Username suffix field blank.
  • Select Choose File under the Identity Provider Metadata section and select the file downloaded from Okta in the section above.
  • Select Update.

Tip:At this point, you’ve completed the setup of Corporate Sign-On using Okta. If you need help because of an error or other issue, review the Technical Support Handbook before you contact Support. The handbook describes the information that the Support team needs from you.

Allowing the tile in Okta to login to TrueContext

Currently, TrueContext only supports the SP initiated flow of logging in, and not an IdP initiated flow. This means that the user must initiate the login process by going to TrueContext (either via the app or live.truecontext.com in a browser), choose Corporate Signon, and enter their username or team domain to initiate the correct login flow. Simply clicking the SAML TrueContext app tile in Okta will result in an Access Denied error.

A workaround for this is available by creating a second TrueContext tile (Bookmark App) in Okta.

For the bookmark app to work, specify the URL as:

https://live.prontoforms.com/security/login/saml?domain=<SSO team domain>

mceclip0.png

Once this is in place, you can hide the SAML TrueContext app from users view in Okta to avoid confusion.