Overview.
This article explains the steps needed to implement SSO and/or User Provisioning through Okta.
Requirements:
A valid Employee Community subscription for your Organization.
Admin access to Employee Community.
Add the Okta application for Employee Community.
Log into Okta. Go to Admin > Applications.
Click on Add Application.
Search for "Honey" and click Add.
Enter your Organization ID. You’ll find your organization id in your Employee Community account at Account and Admin > Single Sign-On (see below), then click Done.
Configure Employee Community for Okta.
From Okta, click the Sign On tab and then click on View Setup Instructions.
Follow the listed instructions including filling out your Remote Login URL, Certificate in Employee Community and enabling SAML for your organization.
Setup user provisioning (optional).
On Employee Community
Sign into Employee Community as an Organization administrator and go to your organization's Admin section by choosing Admin from the Account Menu.
Once there...
Click Single Sign-On from the submenu.
Your Organization ID is available by looking at the Entity ID listed here, it is the number directly following: "https://honey.is/org/", e.g. https://honey.is/org/1234
If not already enabled, click Enable SCIM.
Make a note of your SCIM Bearer Token, you will need to enter this into the API Token field in Okta.
On Okta
From the Honey application in Okta, click on the Provisioning tab.
Once there...
Click Configure API Integration, and then check the Enable API Integration checkbox. An API Token field will appear.
Enter your SCIM Bearer Token from Employee Community (above), then click Save.
Once you have tested the token and saved your settings, you will be able to enable and use Okta to create users, update user attributes (profiles) and deactivate users automatically.
Configure Attribute Mappings
Employee Community requires you to send email addresses and name information for your users, but we offer synchronization with many more attributes.
If you would like to have Okta keep your users up to date, you can map the following fields in Okta from Admin > Applications > Honey > Provisioning > To App. We currently support:
email
givenName
familyName
primaryPhone
title
department
division
location
costCenter
employeeNumber
managerId
Known Issues/Troubleshooting
How do I force users to use SSO to log in?
You can easily force users to log in using SSO by adding a whitelisted/trusted domain in Employee Community. To do this go to your organization's Admin section by choosing Admin from the Account Menu.
Click Domains from the submenu. Under Add a Company Domain, enter a valid email address. You will then receive a verification email to enable the domain.
Finally, from the Domains page, click the lock icon next to the domain, and choose Require SAML.
What else do I need to know?
The Okta username is mapped to the Employee Community email attribute
Importing users is currently not supported