Single Sign-on

If you use a service that authenticates users, you can choose to allow single sign-on (SSO) into Oktopost. We support this feature using Security Assertion Markup Language (SAML) version 2.0 and higher.

Oktopost functions as a SAML Service Provider (SP), and depends on an external Identity Provider (IdP) to authenticate users. Once SSO is enabled, the IdP can validate a user's credentials. When a user wishes to use Oktopost, the IdP then sends a signed SAML message to Oktopost, acting as the SP. This message tells Oktopost that the user is authorized to use the software.

Note that users are provisioned manually by Oktopost and user permissions are maintained within Oktopost.

How to Setup Single Sign-on

First, go to Single Sign-On under App Settings, enable SSO and enter your Idp credentials:

  1. SAML Endpoint - Your Idp SSO URL.
  2. Issuer URL - Your Idp Issuer URL.
  3. X.509 Certificate - Your Idp certificate, .pem, .cert, .cer and .crt are supported.

Click Save, and you're done.

How to Send a SAML Request

Once you configured the settings, send the SSO request, which is a SAML response, to:

https://app.oktopost.com/auth/acs

Make sure to map the Name ID to the users' email address.

Sample Authentication Request

Here's a sample request for an SP initiated flow:

<?xml version="1.0"?>
<AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
              ID="_XXXX"
              Version="2.0"
              IssueInstant="2018-07-04T00:00:00Z"
              Destination="https://companyidp.com"
              ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
              AssertionConsumerServiceURL="https://app.oktopost.com/auth/acs">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://app.oktopost.com</saml:Issuer>
  <NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                AllowCreate="true" />
</AuthnRequest>	

Feedback and Knowledge Base