Note: OKTA SAML is a paid option for your TeamOhana account. If you're unsure whether this feature is included in your contract, please contact your sales representative or customer support.
TeamOhana administrators at your company control who can access your TeamOhana instance and what they can see when they’re logged in. As a TeamOhana administrator, you will still be able to assign roles and even ABAC permissions to any company employee in your TeamOhana instance.
SAML (Security Assertion Markup Language) in Okta is a standardized protocol that enables secure authentication and single sign-on (SSO) to TeamOhana for any users at your company.
Identity Provider (IdP)
Okta then acts as the IdP, managing user identities and authentication
Okta handles user verification and generates SAML assertions
Okta can enforce additional security through Multi-Factor Authentication (MFA)
Authentication Flow
A user attempts to access a SAML-enabled application
TeamOhana redirects them to Okta for authentication
Okta verifies the user's identity
Okta generates a SAML assertion (XML security token)
The assertion is sent to TeamOhana through the user's browser
TeamOhana validates the assertion and grants access
Setup Steps
TeamOhana support can grant your OKTA administrator temporary user access to your company's TeamOhana instance as a user in order to test and verify your OKTA application prior to it being enabled for all users you invite at the company.
First, you will need to follow these 16 steps to create the OKTA application for TeamOhana within your OKTA console:
1. Create App Integration
From Okta, choose Applications and click the 'Create App Integration' button as shown below.
2. Choose SAML 2.0
Click on SAML 2.0 as your sign-in method and then click next.
3. .Name the App TeamOhana and add TeamOhana logo (which you can download here).
In App name field, type TeamOhana.
Upload the TeamOhana logo.
4. Single sign-on URL, e.g.: https://login.teamohanaus/login/callback?connection=okta-{company name}
TeamOhana support will provide you with the unique URL for your company under SAML settings.
Ensure 'use this for Recipient URL and Destination URL is checked, as seen below.
5. Audience URI, e.g.: urn:auth0:ohana-us-prod:okta-{company name}
TeamOhana support will provide you with the unique Audience URI for your company under SAML settings.
6. Default RelayState is left blank (a blank RelayState is sent).
7. Name ID format is Unspecified (the default).
8. Application username is Email (choose from dropdown list).
9. Update application username on ‘Create and Update’ (choose from dropdown list).
10. Attribute Statements - Add the following three attribute statements:
1. Name: email, Name format: unspecified, Value: user.email (choose from dropdown list).
2. Name: first_name, Name format: unspecified, Value: user.firstName (choose from dropdown list).
3. Name: last_name, Name format: unspecified, Value: user.lastName (choose from dropdown list).
11. Click Next on bottom of screen.
12. Click Finish.
13. Click View SAML setup instructions and send the Single Sign-On URL securely to TeamOhana support (your url will look something like this: https://{company name}.okta.com/app/{company name}_teamohana_2/{string}/sso/saml
14. Securely send the Certificate to TeamOhana support by first clicking download certificate (it will look something like ——BEGIN CERTIFICATE—— {string} —End Certificate— in .cert format.
15. Under Applications>TeamOhana>Assignments assign yourself to the newly created application.
16. Once TeamOhana support has enabled Okta in your TeamOhana instance, you can test your new application by clicking on the TeamOhana tile from My Apps to log in via OKTA.
Final steps: Once your ready to roll out TeamOhana to your company's users, simply assign them to the TeamOhana OKTA application and let TeamOhana support know to make OKTA the default login method for your company.