Articles in this section

Integration Instructions: OKTA

  • Updated

Supported Features

Tubular currently supports the following features:

  • Service Provider (SP) Initiated flow

Tubular does not support the following features:

  • Identity Provider (IDP) Initiated Flow
  • SAML JIT (Just In Time) Provisioning

 

Step 1: Set up OKTA as SAML identity provider (IDP)

  1. Log in to your OKTA account as an OKTA administrator.
  2. From the Admin console Home page, go to Applications > Add Application
  3. Select Create New App on the top right-hand side of the Application Directory.
  4. Set Platform to Web and SAML 2.0 as the sign on method. Click Create.
  5. Set “Tubular” as the App Name.
  6. Since Tubular does not support IDP-initiated flow, we suggest you do not display application icon to users in OKTA’s app portal.
  7. Enter the following values into the appropriate fields of the SAML Settings page.
    1. Single sign on URL: https://tubularlabs.com/auth/oauth/login?connection=CONNECTION_NAME
    2. Audience URI (SP Entity ID): urn:auth0:tubularlabs:CONNECTION_NAME
    3. Name ID Format: EmailAddress
  8. In the Attribute Statements section, set the name field to email and the value field to user.email (Please use all lowercase, i.e. email, not Email)
  9. (Optional) Add name attributes. OKTA can use name attributes to pass information to Tubular during user authentication.
    1. For the first name, set the name field to first_name and the value field to user.firstName
    2. For the last name, set the name field to last_name and the value field to user.lastName
  10. (Optional) Click Preview the SAML Assertion to generate a sample XML to verify that your provided settings are correct.
  11. On the next page finalize set up by selecting I’m an OKTA customer adding an internal app.
  12. Click Finish.
  13. You will be redirected to your app’s Sign On page. Click View Setup Instructions.
  14. Copy the Identity Provider Single Sign-On URL and put it in a safe place so you can access it later. Download the X.509 Certificate.

The CONNECTION_NAME is a unique identifier for your connection. It should only contain alphanumeric characters and hyphens and must be less than 128 characters in length.

We recommend that you include your company name as a part of the connection name to ensure that the name is unique. For example, Acme Corp may name their connection Acme-Login.

If you plan on setting up a TEST or STAGING connection first, give it the same connection name in Tubular as you plan to use for your live connection.

 

Step 2: Enable Tubular SAML App

  1. Log in to your OKTA account as an OKTA administrator.
  2. From the Admin console Home page, go to Applications.
  3. Select Tubular Labs.
  4. To turn Tubular SSO on for a user or group of users in your organization, click Assign followed by Assign to People or Assign to Groups.
  5. Choose which users or groups should have access to Tubular SSO and select Done.

If you require a CSV of your current Tubular user directory to import into OKTA, please reach out to your Tubular Customer Success Manager or support@tubularlabs.com.

 

Step 3: Set up Tubular as a SAML 2.0 service provider (SP)

Once you’ve finished configuring OKTA as your IDP, you can send over your connection details to your Customer Success Manager or our Support team to finalize integration of your OKTA with Tubular. Send us over the following pieces of information that you should have saved from your steps above:

  1. The Connection Name you configured in step 1.
  2. The Identity Provider Single Sign-On URL you copied at the end of step 1.
  3. The X.509 Certificate, the entire contents of the file you downloaded in step 1. This is an X.509 Certificate that’s required for SSO setup.

Our team will then input these fields to make the connection to your OKTA instance.

After your credentials are authenticated, you and all of your seat holders should now be redirected to sign in using your IDP when signing into Tubular Labs. 

Once SSO is set up for your organization, it will be the only method your users can use to log into the platform. We don’t currently have the option for some users to still use password for logging in after SSO is linked. User passwords will no longer be managed through Tubular. If a user attempts to reset their Tubular password it will have no effect. Please refer your users to your internal help desk for assistance recovering their OKTA account.

Related articles