Configuring Enforced SSO [OKTA] Configuring Enforced SSO [OKTA]

Configuring Enforced SSO [OKTA]

Blinq’s Enforced SSO feature allows a Workspace to force all members to sign in using a specific configured SSO Identity Provider based on the email domain of the user signing in.

In this SAML SSO set up, OKTA manages your organization's user accounts and credentials and links with Blinq as the service provider for those users. Security Assertion Markup Language (SAML) is a security standard for managing authentication and access.

When you enable SSO with Blinq, the login prompt for your team will change to only allow SSO.

To configure enforced SSO with OKTA you will need:

> A Blinq Business (Enterprise) subscription

> Owner access to your Blinq Account

> OKTA Admin access

> Have both Blinq & OKTA open in different Tabs

How enforced SAML SSO works:

  1. Your team attempts to log in to Blinq via SAML SSO
  2. Blinq sends a SAML request to the OKTA
  3. They are redirected to the OKTA Login page, to complete login. 
  4. OKTA checks your team member’s credentials
  5. OKTA sends a response to Blinq to verify the team member's identity
  6. Blinq accepts the response and logs the team member into their Blinq account.

Note:

Blinq uses SAML 2.0 for all SAML SSO configurations. This includes configurations with supported identity providers and any custom configurations.

1. Confirm Domains with Blinq Support

  • Your organization’s Enforced SSO will ensure that team members who seek to log in with email addresses from your selected domains will be prompted to sign in via SSO. 
  • Your team members will only be able to join your Workspace if their email address ends in one of your validated domains.
  • You can list more than one domain, including subdomains.

1. Contact Blinq Support and send a list of domains you seek to register for SSO, including an example email address for each. 

2. Blinq will approve the domains and advise you can continue to configuration.

3. You may be required to validate you own each domain name via DNS verification.

Note

You can request to add or remove domains to their organisation at any time by contacting Blinq Support.

2. Open Security in Blinq

1. Login to dash.blinq.me as your Blinq account Owner

2. Click on the Workspace menu in the top left corner

3. Select Team Settings from the drop down

4. Click into Security from the settings menu. Keep this tab open while you work. You will need to copy information into Okta and vice versa. 

 

3. Configure SSO in OKTA

1. Open Okta's Admin Dashboard.

2. Click the Applications menu and then Applications

3. Click the blue Create App Integration button

4. Select SAML 2.0 from the integration options

5. Click Next



6. The Create SAML Integration screen opens up. Under General Settings complete the following information:

7. Create an App Name, you can choose whatever makes sense to your team.

  • Upload a logo if you please.

8. In Okta, click Next and proceed to step 2 Configure SAML

9. Copy the ACS URL from Blinq Security

10. Paste this into the Single sign on URL field in Okta

10. Copy the Service provider app entity ID from Blinq Security

11. Paste into the Audience URI (SP Entity ID) field

12. Leave the Default RelayState field blank

13. Select email address for the Name ID format 

14. Select Okta username as the Application username 

15. Select create & update to update application username

16. No other attributes are required by Blinq, so you can click Next

17. Select Customer from the question Are you a customer or partner

18. Click Finish

20. You should be taken to the application settings page for the application you just created. If not, select the Blinq application you just created from the list of Applications.
21. From the Application settings screen, select the Sign On tab, then expand More details within the SAML 2.0 box.

22. Click Copy to copy  the Sign on URL from Okta and

22. Paste the values into the Identity Provider Entity ID  field in Blinq Security

23. Click Copy to copy the Issuer from Okta and

24. Paste the value into the Identity Provider Entity ID (Issuer Entity ID) field in Blinq Security

25. Click Copy to copy the Signing Certificate from Okta to your clipboard,

26. Paste the certificate directly into the Certificate field in Blinq Security with no additional formatting.

3. Enable SSO in Blinq

1. Navigate back to the Security settings in your Dashboard. 

2. Toggle on “Enforce SSO for all users” to activate enforced SSO for you users

3. Your SSO should now be configured for your organization. All users logging in with email addresses ending in your domain will be directed to log in using SSO.

4. You can now log out of Blinq, when you log back in, you should be taken through the OKTA SSO flow.