Purpose
The purpose of this article is to provide direction to Outreach Admins in configuring SSO with Okta.
Outreach is now compatible with Single Sign On (SSO) applications like Okta, Salesforce, and Onelogin. This article is specific to connecting Okta and Outreach, but if you would like to connecting other SSO applications, you can follow the hyperlinks below:
Applies To
In order to setup Okta with Outreach, the following are required:
- Admin privileges in Outreach
- Admin privileges in Okta
If you are unsure of who your identity provider (Okta) admin is, we recommend contacting your IT team.
Procedure
Setting up Okta
- As a Okta Admin, go to login.okta.com as a Okta Admin and into Admin Dashboard, Applications tab. Then, Select "Create App Integration"
- Select the SAML 2.0 option
- On General Settings tab, it will ask for a App name. You can name it "Outreach_SSO" or similar, then go Next.
- On Configure SAML tab, and configure three fields below, then go Next.
- For Single sign-on URL: http://placeholder.com
- You will be replacing this later into the setup.
- For Audience URI (SP Entity ID): _placeholder_
- You will be replacing this later into the setup.
- For Attribute Statements, Name: email Value: user.email
- For Single sign-on URL: http://placeholder.com
- On Feedback, select "this is an internal app that we have created", then select "Finish"
- You should then be directed to the "Sign On" tab. On the right-side, select "View SAML setup instructions"
- The newly opened tab should have three pieces of information (ideally have this open as a new tab for the remainder of the setup):
- Identity Provider Single Sign-On URL
- Copy this into a Google Doc or notepad so you may paste this into Outreach settings later.
- Identity Provider Issuer
- Copy this into a Google Doc or notepad so you may paste this into Outreach settings later.
- X.509 Certificate:
- "Download Certificate" so you may upload the file/certificate into Outreach settings later.
- "Download Certificate" so you may upload the file/certificate into Outreach settings later.
- Identity Provider Single Sign-On URL
Create the Identity Provider inside Outreach
- As an Outreach admin, you select the gear icon. Then into "Org Info". Scroll all the way down and select "Edit" in Sign-in and password options.
- On the next page, select “Add Identity Provider”.
-
Add the requested identity provider information that was copied and stored from step 1.7, then hit "Save"
- Name: This can be "Okta_SSO"
- Sign In URL: This is the Identity Provider Single Sign-On URL from Step 1.7
- Issuer (Identity Provider Entity ID): This is the Identity Provider Issuer from Step 1.7
-
Certificate: This is the file you downloaded from Step 1.7.
- Choose File and select the downloaded file.
Note: The above screenshot contains two advanced settings: "Use NameId Instead of Email" and "Enable just-in-time new user provision". We do NOT recommend checking these options unless the functions of each are understood and needed by your organization. You can read more on these advanced settings in Advanced Settings For Identity Provider (SSO).
- Choose File and select the downloaded file.
- You should be redirected back to "SSO Settings". Within that page, select "Edit"
- Now find the “Setup Info” section. There are two important fields you will need to copy later in Step 3 (ideally you should have this tab open as you go through to Step 3)
- Assertion Consumer Service (ACS) URL
- Copy this into a Google Doc or notepad so you may paste this into Outreach settings later.
- Service Provider Entity ID / Audience URI
- Copy this into a Google Doc or notepad so you may paste this into Outreach settings later.
- Copy this into a Google Doc or notepad so you may paste this into Outreach settings later.
- Assertion Consumer Service (ACS) URL
Update Okta Application
- Go back to Okta Admin Dashboard, Applications tab. Then select the application you had created in step 1. Then, within the "General" tab, select "Edit"
-
Go next to the "Configure SAML" tab. Fill in the two pieces of information from 2.3 (Outreach's SSO Settings). These were previously where we placed placeholder values. Leave all other setting untouched.
- Single sign-on URL: This will be the Assertion Consumer Service (ACS) URL retrieved from Outreach's SSO settings
-
Audience URI (SP Entity ID): This will be the Service Provider Entity ID / Audience URI retrieved from Outreach's SSO settings. It should start with "urn"
- Assign your users into this application, including yourself as you will be testing the connection in step 4.
Enable SSO within Outreach Settings
- Return to Outreach's SSO settings if you did not not have the settings already opened.
- Select "Single Sign On", then hit "Edit". Here, double check all your settings are properly configured. Please confirm the below values are matching respectively in Outreach or Okta:
- Sign In URL: Matches the values from Okta (Step 1.7)
- Issuer (Identity Provider Entity ID): Matches the values from from Okta (Step 1.7)
- Certificate: Confirm it is the same downloaded certificate from (Step 1.7)
- Assertion Consumer Service (ACS) URL: Pasted and saved within Okta Settings (Step 3.2)
-
Service Provider Entity ID / Audience URI: Pasted and saved within Okta Settings (Step 3.2)
- Once you have confirmed all values are matching, then go back within Outreach's SSO Settings, and select "Enable".
-
Important Note: It is required to enable to test out the setup.
- Your users will not be instantly signed out.
- You should have already assigned yourself to the application in Step 3.3
- If you receive anything but "{"success":true}" in Step 4.4, please see Troubleshooting Okta SSO section.
- In the event of a the failure of Step 4.4, you can go back to this page to uncheck "enable".
-
Important Note: It is required to enable to test out the setup.
- Select "Test" and a new tab should popup with "{"success":true}". This indicates the SSO connection works and the setup was successful.
Congrats! SSO is now enabled!