Who is this article for?
For OKTA's own documentation on which this guide is based, visit https://developer.okta.com/docs/guides/build-sso-integration/saml2/overview/
How to set up OKTA as an Identity Provider (IdP) for WorkRite
Within WorkRite (all operations below require Client Administrator permissions)
- Select Management System
- Select Company from the left hand navigation menu
- Select the Security panel
- Under SAML Single Sign-on, Status - Select On and click Save Changes
- Select Generate SAML Metadata and save to a location on your computer. This is an .xml file you will need in a later step (by default this is named WORKRITE_METADATA.xml).
- Create new application
- Select Web as the platform, and SAML 2.0 as the Sign on method
- Click Create to proceed to "Configure SAML" step
- Open the metadata xml file downloaded in the earlier step (by default this is named WORKRITE_METADATA.xml)
- Populate Single sign on URL with the Location value, within the AssertionConsumerService element, e.g.
- Populate the Audience URI (SP Entity ID) with the entityID value within the EntityDescriptor element, e.g.
- Select EmailAddress as the Name ID format
- Select Okta username as the Application username
- Click Show Advanced Settings
- Change the option for Assertion Signature to Unsigned
The highlighted areas of the form are shown below with the correct values:
- Click Next at the bottom of the form to proceed
- Click Finish on the next page to return to the application settings page.
- Click View Setup Instructions. This will open a new window.
- Copy the Identity Provider Single Sign-On URL...
- ...and paste into the WorkRite security panel field Identiy provider url (for SP-initiated redirect) and click save changes.
- Back in Okta, copy the X509 certificate, including the -------BEGIN CERTIFICATE------ and -------END CERTIFICATE------- parts...
- ...and in the security panel, click Update your X509 certificate button, paste into the text field that displays and click save changes
Some important points to note:
- You will need to assign users to the application in order for them to be able to sign in.
- You can use EITHER the IdP URL from Okta, or the SP URL from WorkRite to sign in to the application.
- A user must exist in WorkRite with a corresponding Okta username in order to sign in to the application.