Single Sign-On (SSO) configuration for Okta
This document describes the steps required to activate SSO on your CodinGame for Work account using the SAML protocol with Okta.
SSO can also be combined with User Provisioning through the SCIM protocol.
Prerequisites for activating SSO on your CodinGame for Work account:
- You have admin rights on the CodinGame for Work account.
- You have identified the proper person at your end who will be able to implement the required configuration changes on your Okta account, i.e. your system administrator.
- Account-wide failure to login may occur for your users during the configuration process. Reversing the SSO activation on the account can be done at any time if the configuration fails.
- At any time, even when the SSO configuration is active, it is possible for an admin to log into the account using email and password credentials by using one of the following URLs:https://www.codingame.com/work/login?forcePassword (US site)https://www.codingame.eu/work/login?forcePassword (EU site)
- You may want to test drive the integration on a test CodinGame for Work account first. In that case, contact your account manager to set up this test account.
To activate the SSO configuration on your CodinGame for Work account:
- Open a ticket with the support team by sending a request to email@example.com asking for SSO activation and User Provisioning.
- The support team will send you back four URL parameters related to SSO:
- SP Entity ID
- SP Assertion Consumer URL
- SP Metadata URL
- SP Logout URL
- and two parameters related to user provisioning:
- SCIM Base URL
- SCIM Secret Token
- Configure an Application in Okta corresponding to CodinGame for Work:
- Log on to the Okta Admin interface
- Menu “Applications → Applications”
- Create App Integration →Select “SAML 2.0”
5. Configure the App:
- General Settings:
- Name = CodinGame for Work
- Logo = Download this logo
- Configure SAML:
- “Single sign on URL” = SP Assertion Consumer URL (from the CodinGame support team)
- “Audience URI (SP Entity ID)” = SP Entity ID (from the CodinGame support team)
- “Use this for Recipient URL and Destination URL” = checked
- “Name ID format” = Unspecified
- Application username = Email
- Add an attribute statement:
- Name = User.Email
- Value = user.email
- Validate the last step
6. Configure CodinGame for Work to work with Okta:
- In the “Sign On” tab of the Application, click “View Setup Instructions”
- Send back the following parameters to the CodinGame support team:
- Identity Provider Single Sign-On URL
- Identity Provider Issuer
- X.509 Certificate (download as file)
7. Add users to the Application in Okta:
From the “Assignments” tab:
- Assign → “Assign to People” or “Assign to Groups” for example, add a test user who is also registered in CodinGame for Work
8. Contact support to organize a go live meeting between one of our engineers and your system admin. During the live video meeting, CodinGame will activate SSO on your account and you will check that a test user can connect through SSO. Any final adjustments can be made during this call.
Adding User Provisioning
Once SSO has been activated, User Provisioning can be turned on using the SCIM protocol:
- From Okta, select the CodinGame for Work application, “General” tab
- App Settings → Edit
- Provisioning → SCIM
2. From the new “Provisioning” tab
- SCIM Connection → Edit
- SCIM connector base URL = SCIM Base URL (from the CodinGame support team)
- Unique identifier field for users = email
- Supported provisioning actions → Select everything
- Authentication Mode = HTTP Header
- HTTP Header → Authorization → Bearer Token = SCIM Secret Token **(from the CodinGame support team)
- The "Test Connector Configuration" action should be successful at this point.
3. Edit the provisioning in “Provisioning” → Settings → “To App”:
- Click “Edit”
- Check “Create Users”, “Update User Attributes”, “Deactivate Users”
- Click “Save”
4. Go to the “Push Groups” tab of the “App”
- Click “Push groups” →”Find groups by name”
- It is recommended to select all groups assigned to the Okta App
5. Send a final request to support specifying the CodinGame for Work permissions you want for each group attached to the Okta App. This could be done during the live video meeting as well to speed-up the process.
6. From now on users added to your groups will be automatically created in CodinGame for Work with the proper set of permissions.