Configuring Tenfold to use Okta as an identity provider
Overview: This article provides a walkthrough for configuration Okta as an identity provider for Tenfold.
1. In Okta Admin console click the Applications Tab and select Applications again from the drop down menu(The same can be done by using the Add Applications shortcut on the Dashboard Tab)
2. In the Apps Store select Create New App
3. Select “Web” for the Platform and “Secure Web Authentication (SWA)” for the Sign on Method then click Create
4. It is required to set the Name of the app(you can select something with your company name and Tenfold to be clear). You also need to set the Tenfold Login URL in the following field: https://dashboard.tenfold.com/login
The Logo, Visibility, and type settings can be left alone(a Tenfold Logo is attached to help clarify for your Tenfold Users they are using the correct app). Step two can be configured to your preference; for this example we set it so the end user can configure their login credentials. The username is set to Email to match the Username in the Tenfold Dashboard and this application.
Click Finish once you are done
5. Now you will be brought to the Assignments page. You can add your People from your Team or specific Groups from Okta to this application here; but it is best to save this step for last and just set yourself as the only Person to start with. If you’re only setting yourself at this time is fine to leave the app in an ‘Active’ Status. (Note: if you chose not to let your users configure their username and password you will need to do so on this page as well)
6. Click on the Sign On Tab from here and note we can configure our user credential privilages, username format(this is best as Email), and your Sign On Policy on this page. We suggest sticking with the default until you have the sign on working for yourself before going back and adding stricter guidelines(too many rules can make validation of feature difficult best to get the feature working then add a more strict policy)
7. Select the General Tab of the Tenfold App. Here you can set the App Settings, SWA Settings, VPN Notification, and locate the Embed Link.
The only configurations you need to set are the Auto-launch so you don’t have to click again on the Okta Dashboard and input the Tenfold Login Page: https://dashboard.tenfold.com/login
Leave VPN disabled unless you need to be on your companies Network to access Okta.
You can leave the App Embed Link section alone too, but you will need the Embed Link URL for configuring the feature in the Tenfold Dashboard
- Set the domain to the value which you want your users to enter when logging in to Tenfold (In this example the company has Lion at the start and it is the Tenfold Application so ‘LionTenfold’ is simple enough)
- You will need the Entity ID we noted in the end of step #7 as the Embed Link.
- The Identity Provider Entry Endpoint which is the Unique Login URL for Okta(ex. https://__companyuniqueurl__.okta.com/login/login.htm)
- For the Identity provider public certificate you can simply use ‘*.okta.com’
- Once these four fields are complete you may click save and refresh the page to complete the configuration
9. At this point you can navigate back to the Applications tab select Applications from the drop down Menu and select your working Tenfold app from the INACTIVE Applications. Click on the Gear to the right to enable the Tenfold App for SSO. If you left the App active on step #5 you can ignore step #9.
10. You are ready to use Okta to authenticate to Tenfold. The below gif demonstrates the login flow with the Okta Chrome Extension after using Okta Verify multi-factor authentication:
(Note: The Tenfold user account is a duplicate of a working account so .pwd is appended to create a duplicate user. Normal users will not need to perform this extra step and their email may be uniform throughout. Please click on the hyperlink above to discover how Okta will handle the multi-factor Authentication with Okta Verify.)
11. At this point it would be best to add the rest of your Okta Groups or People in Okta that need SSO Access to Tenfold to that Application as mentioned in step #5. It would also be the best point to go back and set your Sign On Policy Rules if they need to be more strict from the Default we used to setup in step #6.
If you have multiple Tenfold organizations connected to a single Identity Provider you will need to enable the ‘Multi-Tenant’ preference in order for Tenfold to properly identify which organization a user belongs to during login. Tenfold accomplishes this by pairing a specific Attribute from the SAML payload, and directing users to the applicable Tenfold environment based on the Value of the associated user.
- Identify an Attribute within Okta, or create a new one, that can be used to group users based on the related Tenfold environment.
- Enable the ‘Multi-tenant’ setting on the ‘Single Sign-On’ feature. Select ‘Custom Field’ in the dropdown.
- Configure the Attribute and Value to relate users to the associated Tenfold environment you are updating. The Attribute is set first, and should follow the same syntax as Okta. This same Attribute can be, and often should, be used for any additional Tenfold environments you have. Value is set later, and should be unique to this Tenfold environment.
- Follow steps 2-3 in any additional Tenfold environments you may have, bearing in mind that although ‘Attribute’ can be shared across multiple Tenfold environments the ‘Value’ must always be unique to that Tenfold environment.
If you are encountering any issues with authenticating users into the proper Tenfold environments after configuring ‘Multi-Tenant’ settings, one should inspect the SAML payload that is sent from Okta to Tenfold when attempting login while using a SAML decoding tool. The payload will indicate both the ‘Attribute’ being pushed to Tenfold, as well as the ‘Value’ such as: