To set up SSO for Keepit, you need to first create an SSO app integration with Okta. During the configuration you will obtain the IDP URL and certificate needed to configure SSO in Keepit.
In the process of setting up SSO, we recommend that the Master Administrator create an SSO Admin – a dedicated user who has permission to access the SSO configuration. SSO is never enabled for the SSO Admin so he can always sign in to the account with his Keepit credentials. This will ensure that the Master Administrator and other users will not get locked out of their account in case SSO is configured incorrectly or an SSO certificate expires. For a step-by-step guide, see Create an SSO Admin role.
To set up SSO for Keepit using Okta, follow the steps below:
I. Create a New Application Integration
- In the menu, select Applications > Applications.
- Select Add Application.
- Select Create New App.
- For Platform, select Web.
- For Sign on method, select SAML 2.0.
- Select Create.
II. Create SAML Integration
- Enter an App name.
- (Optional) Upload an App logo.
- Select how to display application icon.
- Select Next.
- For the Single sign on URL, enter the URL that corresponds to your data center:
- For the Audience URI (SP Entity ID), enter the ID that corresponds to your data center:
- Select desired Name ID format, Application username, and Update application username on.
- Select Next.
- Select whether you are a customer or a partner, and then select Finish.
III. Assign Your App to People
For SSO to be enabled for individual users, you must assign the app to these people. Make sure that users with the same email address exist in Keepit.
- Select the Assignments tab.
- Select Assign > Assign to People
- Next to the people you want to use SSO, select Assign > Save and Go Back
- After assigning all people, select Done.
IV. Locate URL and Certificate
- Select the Sign On tab.
- Under Settings, select View Setup Instructions.
- Locate the Identity Provider Single Sign-On URL. This is the IDP URL you need to configure SSO in Keepit.
- Locate the X.509 Certificate. This is the Certificate you need to configure SSO in Keepit.
V. Configure SSO in Keepit
- In the left-side menu, select SSO.
- Select Add +
- Enter a name for your configuration.
- In the IDP URL, enter the Identity Provider Single Sign-On URL you located in part IV of these instructions.
- In the Certificate field, enter the text of the X.509 Certificate you located in part IV of these instructions. Make sure you copy only the text between the begin and end markers.
- Select the Enabled check box to make SSO active for all users who were assigned the app in Okta.
- (Optional) Select the Optional check box if you want users to have the option to sign in with either SSO or with Keepit credentials. We recommend to clear this check box so that the Master Administrator and sub-users will log in through Okta.
- Select Save.
Now when these users try to sign in to their Keepit account, they should enter only their email address and NOT their password. When they select Sign In, the users will the be redirected to Okta where they should sign in using their identity provider login credentials.
When successfully signed in, the users will be redirected to their Keepit account.