Single sign-on (SSO) means that a user can log in using one identity provider (in this case, Okta) and access another application as well, without having to enter their credentials again for the second platform. You can set up SSO between Okta and CTC Admin as shown below.
Prerequisites
The following are required in order to configure SSO between Okta and CTC Admin:
- You will need to have administrative roles in both your Okta instance and CTC Admin.
- You must be able to configure your Okta instance to enable OpenID Connect (OIDC) integrations and have user permissions to create new application integrations (as well as sufficient privileges to configure the SSO integration with CTC Admin).
- Your user accounts must be set up in CTC Admin using an email address for usernames. The email domain needs to be unique, one that has not been previously configured for SSO with CTC Admin.
- You must assign (and maintain) permissions and roles for users in CTC Admin. The Okta integration will be used for authentication purposes only.
Note: If you are unable to access your CTC Admin account to configure SSO, contact your CalAmp representative for assistance.
Beginning Your Okta Configuration
To start your SSO setup, follow these steps in Okta:
- Log in to Okta at https://developer.okta.com/login.
Note: If you just want to test the integration, you can sign up for a trial Okta account at https://developer.okta.com/signup. - Navigate to Applications >> Applications.
- Click Create App Integration.
- In the Sign-in Method section, click OIDC - OpenID Connect.
- In the Application Type area, click Single-Page Application.
- Click Next.
- On the Application page, type the name you want to use for your integration in the App Integration Name field, such as "CTC Admin Okta Application."
- In the Grant Type area, make sure that Refresh Token is selected.
- In the Refresh Token Behavior section, select Rotate Token After Every Use.
- In the Login section, enter https://admin.calamp.com/login in the Sign-in Redirect URIs field.
- Enter https://admin.calamp.com in the Sign-out Redirect URIs field.
- Click the Login Initiated By drop-down arrow and select App Only.
- In the Trusted Origins area, enter https://admin.calamp.com in the Base URIs field.
- Select the Controlled Access radio button for the level of access you want to give your users. (For example, choosing Allow Everyone in Your Organization to Access will grant all your users permission to use the platform.)
- Click Save.
Adding Users
You can add users in your organization who can access CTC Admin as follows:
- In Okta, navigate to Applications >> Applications.
- Select the name of the application you used in step 7 in the preceding section.
- Click the Assignments tab.
- Select People in the left pane to add users individually, choosing their names on the right.
- Select Groups on the left to add groups of users in the right pane.
Enabling SSO in CTC Admin
The next step in the process is to enable SSO in CTC Admin. You do so as follows:
- Log in to CTC Admin. (See Logging In and Out if needed.)
Note: Your CTC Admin role will need to have Admin rights. - Click on the left sidebar menu.
- Click Accounts on the flyout menu that appears.
The Accounts screen will appear.
- Click Edit at the top right.
The Edit Account dialog box will appear.
- Enable the Enterprise Account toggle.
This should make a new section appear for configuring SSO.
Note: You may also need to enable the SSO Configuration toggle to make the fields below be displayed.
- In the Discovery Endpoint field, enter your OIDC discovery endpoint URL from Okta.
Note: You can find this endpoint in Okta by following these steps:- Navigate to Applications.
- Select the application you are configuring SSO for.
- On the General tab, find the Issuer URL value, which is often the discovery endpoint. (It will end in /.well-known/openid-configuration.)
- Copy this value and paste it in to the Discovery Endpoint field in the Edit Account dialog box.
If you cannot find the Issuer URL value on the General tab, you can also retrieve the discovery endpoint by appending /.well-known/openid-configuration to your Okta domain. (For example, if your Okta domain is https://your-okta-domain.okta.com, your discovery endpoint will be https://your-okta-domain.okta.com/.well-known/openid-configuration.)
- Navigate to Applications.
- In the Domains field, enter the email address domain for your user accounts (such as yourbusiness.com).
Note: This value must be unique. There can't be another organization that has this domain associated to an account in CTC Admin. - Click the SSO Mode drop-down arrow and select how you will allow your users to log in to CTC Admin, given these options:
- Lax: Users can be authenticated with either SSO or a traditional username/password login.
- Strict: Users can log in ONLY using Okta SSO.
- Lax: Users can be authenticated with either SSO or a traditional username/password login.
- Click the APP List drop-down arrow and select Admin (indicating the CTC Admin application).
- In the Client ID field, enter the Client ID value from Okta.
Note: You can find this in the Client Credentials section of the General tab.
- Click Done.