All Collections
Using Employee Community's integrations and tools.
Single Sign-On
Setting up single sign-on and user provisioning through Okta.
Setting up single sign-on and user provisioning through Okta.

How to use SAML and SCIM with the official Employee Community app for Okta.

Kat Hills avatar
Written by Kat Hills
Updated over a week ago

Overview.

This article explains the steps needed to implement SSO and/or User Provisioning through Okta. 

Requirements:

  • A valid Employee Community subscription for your Organization.

  • Admin access to Employee Community.

Add the Okta application for Employee Community.

  1. Log into Okta. Go to Admin > Applications.

  2. Click on Add Application.

  3. Search for "Honey" and click Add.

  4. Enter your Organization ID. You’ll find your organization id in your Employee Community account at Account and Admin > Single Sign-On (see below), then click Done.

Configure Employee Community for Okta.

  1. From Okta, click the Sign On tab and then click on View Setup Instructions

  2. Follow the listed instructions including filling out your Remote Login URL, Certificate in Employee Community and enabling SAML for your organization.

Setup user provisioning (optional).

On Employee Community

Sign into Employee Community as an Organization administrator and go to your organization's Admin section by choosing Admin from the Account Menu

Once there... 

  1. Click Single Sign-On from the submenu.

  2. Your Organization ID is available by looking at the Entity ID listed here, it is the number directly following: "https://honey.is/org/", e.g. https://honey.is/org/1234

  3. If not already enabled, click Enable SCIM.

  4. Make a note of your SCIM Bearer Token, you will need to enter this into the API Token field in Okta.

On Okta

From the Honey application in Okta, click on the Provisioning tab.

Once there...

  1. Click Configure API Integration, and then check the Enable API Integration checkbox. An API Token field will appear. 

  2. Enter your SCIM Bearer Token from Employee Community (above), then click Save.

Once you have tested the token and saved your settings, you will be able to enable and use Okta to create users, update user attributes (profiles) and deactivate users automatically.

Configure Attribute Mappings

Employee Community requires you to send email addresses and name information for your users, but we offer synchronization with many more attributes. 

If you would like to have Okta keep your users up to date, you can map the following fields in Okta from Admin > Applications > Honey > Provisioning > To App. We currently support:

  • email

  • givenName

  • familyName

  • primaryPhone

  • title

  • department

  • division

  • location

  • costCenter

  • employeeNumber

  • managerId

 

Known Issues/Troubleshooting

How do I force users to use SSO to log in?

You can easily force users to log in using SSO by adding a whitelisted/trusted domain in Employee Community. To do this go to your organization's Admin section by choosing Admin from the Account Menu.

Click Domains from the submenu. Under Add a Company Domain, enter a valid email address. You will then receive a verification email to enable the domain.

Finally, from the Domains page, click the lock icon next to the domain, and choose Require SAML.

What else do I need to know?

  • The Okta username is mapped to the Employee Community email attribute

  • Importing users is currently not supported

Did this answer your question?