This article is specific to configuring Okta as a corporate login identity provider (IdP). It expands on what is discussed in the general corporate login article here.
Setting up Okta for use with ProntoForms
Follow the steps below to set up Okta for use with ProntoForms:
Create an Application in Okta
- Set the Platform to "Web"
- Set the Sign on method to "SAML 2.0"
- On the General > App Settings, specify an Application Label (ex. ProntoForms)
- In the Configure SAML Settings:
- Single sign on URL = https://live.prontoforms.com/saml/SSO
- Check "Use this for Recipient URL and Destination URL"
- Audience URI (SP Entity ID) = prontoforms.com/prod
- Application username is typically set to Okta username or email, but this is based on your specific configuration. In general, you need to specify the setting here such that the username returned by Okta will match the username in live.prontoforms.com
- You will end up with something similar to:
Download the Identity Provider (IdP) Metadata from Okta
- Download the identity provider metadata xml from Okta by clicking on the "Sign on" tab, then click "Identity Provider metadata":
Save this file for use in the next section.
Set Up Corporate Login in ProntoForms
- Within live.prontoforms.com, navigate to the security tab and click Update within the Single Sign-on menu:
Provide a Team domain name. This is typically just your corporate domain name (ex. acme.com).
Specify a problem contact email
Optional: Specify a Username suffix. This is only required if you need to add a suffix to the username returned by okta so that is matches the username within live.prontoforms.com. As an example, if okta is configured to send just the username prefer (ex. jsmith), but the prontoforms username is firstname.lastname@example.org, you will want to specify @acme.com as the username suffix. However, if okta is configured to send the username as the users email address, and the Pronotofrms username is also the email address, leave the Username suffix field blank.
Click "Choose File" under the "Identity Provider Metadata" section and select the file downloaded from Okta in the section above.
At this point you are complete in setting up a Corporate Signon using Okta. If you are prompted with an error or have any issues with these steps please contact Support.
Currently, ProntoForms only supports the SP initiated flow of logging in, and not an IdP initiated flow. This means that the user must initiate the login process by going to ProntoForms (either via the app or live.prontoforms.com in a browser), choose Corporate Signon, and enter their username or team domain to initiate the correct login flow. Simply clicking the SAML ProntoForms app tile in Okta will result in an Access Denied error.
A work around for this is available by creating a second ProntoForms tile (Bookmark App) in Okta. The bookmark app option is described by Okta in detail here:
For the bookmark app to work, specify the URL as:
https://live.prontoforms.com/security/login/saml?domain=<SSO team domain>
Once this is in place, you can hide the SAML ProntoForms app from users view in Okta to avoid confusion.