Single Sign-on (SSO) integrations are a coordinated effort between TIQ Software and your organization. The following serves as a general guideline to set up your end of a SAML integration for any SAML-compatible Identity Provider (IdP). It also outlines the information that you need to provide TIQ Software.
For the complete OKTA SAML specifications, please visit: http://developer.okta.com/standards/SAML/.
Step 1 - SAML SSO Basic Requirements
We need the following items to get started:
- IdP Issuer URI. This is defined as the issue URI of the IdP.
- IdP Single Sign-On URL. Often serves as both the Login URL and the Logout URL.
- IdP Signature Certificate. SAML X.509 PEM-encoded Signing Certificate.
- Request Signature Algorithm*
- Response Signature Algorithm. Often the same as the Request Signature Algorithm.
- Destination (could be the same as IdP Single Sign-On URL)
Once TIQ Software has the above information, we can start our end of the SSO configuration. At this point, you will wait for us to provide you with more information to complete the SSO configuration on your end.
OKTA does not support unsigned assertions.
Step 2 - Metadata step
This is provided by TIQ Software as defined by Okta in a separate email* when Step 1 is complete.
After Step 1 is complete, we will take that information, configure the integration on our end and then provide you with the following values:
- Assertion Consumer Service URL
- Audience URI
- Signing Certificate (optional)*
These values will be required by the SAML configuration on your end and will need to be added prior to continuing any further.
You may or may not need a signing certificate, and this depends on your requirement for encrypted assertions. This is determined on a project-by-project basis. OKTA prefers signatures to use SHA-256.
Step 3 - Setting up the User - Assertion Attributes and Signatures
Once Step 2 is complete, tell us if any field mappings should be created. At least one field mapping is typically created to better link the user in OKTA to your IdP.
Here are some examples:
- An identifier that uniquely identifies the user on your system (employee id, email, etc.) that you'd like to show up in reporting on our end.
- A display name, such as the user's first name. TIQ Softwarewill use this for system messages, like "Welcome Mary!”.
Provide TIQ Software with with any fields that are specific or custom to your IdP that we should map in our system that will be sent with the SAML assertion from your system.
Step 4 - Module Access
All projects are accessed by your users via:
- A TIQ Software designed landing page, or
- Your organization's own landing page (often a page within your Learning Management System/LMS). In the case of SSO integrations, this is the more likely scenario.
TIQ Software will provide you with a link that should be used to access either the landing page or the project(s) directly.
Frequently Asked Questions
Where do I get the landing page graphics?
These will be supplied by TIQ Software as approved by the project sponsor
How do I test that the modules are working?
- If you are using your own landing page, embed the link provided from Step 4 on it and then click it. If you are logged in to your system already, clicking the link should provide direct access to our learning module without having to log in again.
- If you are using a landing page provided by TIQ Software, you will access that page first, followed by clicking on one of the module links that are displayed. Visiting either the landing page or clicking a module link should provide direct access without having to log in again.
Can I see a simple diagram of the setup?