Go to BambooHR
All Collections
Using Honey's integrations and tools.
Single Sign-On
Setting up single sign-on and user provisioning through Okta.

Setting up single sign-on and user provisioning through Okta.

How to use SAML and SCIM with the official Honey app for Okta.
Kat Hills avatar
Written by Kat Hills. Updated over a week ago

Overview.

This article explains the steps needed to implement SSO and/or User Provisioning through Okta. 

Requirements:

  • A valid Honey subscription for your Organization

  • Admin access to Honey

Add the Okta application for Honey.

  1. Log into Okta. Go to Admin > Applications.

  2. Click on Add Application.

  3. Search for "Honey" and click Add.

  4. Enter your Organization ID. You’ll find your organization id in your Honey account at Account and Admin > Single Sign-On (see below), then click Done.

Configure Honey for Okta.

  1. From Okta, click the Sign On tab and then click on View Setup Instructions

  2. Follow the listed instructions including filling out your Remote Login URL, Certificate in Honey and enabling SAML for your organization.

Setup user provisioning (optional).

On Honey

Sign into Honey as an Organization administrator and go to your organization's Admin section by choosing Admin from the Account Menu

Once there... 

  1. Click Single Sign-On from the submenu.

  2. Your Organization ID is available by looking at the Entity ID listed here, it is the number directly following: "https://honey.is/org/", e.g. https://honey.is/org/1234

  3. If not already enabled, click Enable SCIM.

  4. Make a note of your SCIM Bearer Token, you will need to enter this into the API Token field in Okta.

On Okta

From the Honey application in Okta, click on the Provisioning tab.

Once there...

  1. Click Configure API Integration, and then check the Enable API Integration checkbox. An API Token field will appear. 

  2. Enter your SCIM Bearer Token from Honey (above), then click Save.

Once you have tested the token and saved your settings, you will be able to enable and use Okta to create users, update user attributes (profiles) and deactivate users automatically.

Configure Attribute Mappings

Honey requires you send email address and name information for your users, but we offer synchronization with many more attributes. 

If you would like to have Okta keep your users up to date, you can map the following fields in Okta from Admin > Applications > Honey > Provisioning > To App. We currently support:

  • email

  • givenName

  • familyName

  • primaryPhone

  • title

  • department

  • division

  • location

  • costCenter

  • employeeNumber

  • managerId

 

Known Issues/Troubleshooting

How do I force users to use SSO to login?

You can easily force users to login using SSO by adding a whitelisted/trusted domain in Honey. To do this go to your organization's Admin section by choosing Admin from the Account Menu.

Click Domains from the submenu. Under Add a Company Domain, enter a valid email address. You will then receive a verification email to enable the domain.

Finally, from the Domains page, click the lock icon next to the domain, and choose Require SAML.

What else do I need to know?

  • The Okta username is mapped to the Honey email attribute

  • Importing users is currently not supported

Did this answer your question?