Okta Integration (Identity Provider)
Recollective can be integrated with Okta as an identity provider to permit a secure single sign-on experience for one or more user roles.
- Service Provider (SP)-Initiated Authentication (SSO) Flow: This authentication flow occurs when the user attempts to log in to the application from Recollective
- Identity Provider (IDP)-Initiated Authentication (SSO) Flow: This authentication flow occurs when the user attempts to log in to the application directly from Okta
- Account Linking: After a successful Okta login, if no Recollective associated exists then the login would fail. By enabling account linking, the email from a successful login is used to match against Recollective accounts; if a match is found then a permanent association is made between the accounts and the login will succeed.
- Account Provisioning: Like account linking, this is another option to handle an Okta login that is not yet associated to a Recollective account. This option allows for a new Recollective account be provisioned if no match was found in account linking.
The requirements for this integration include:
- Recollective site and an Analyst role. Contact Recollective to provision a site.
- Okta tenant. Contact Okta to get started.
Follow the steps below to configure this integration as an Analyst in the Site Administration area of your Recollective site.
If you do not see the option to add Okta to your site as an identity provider, please contact your account representative to learn more about our enterprise single sign-on options.
- Login to your Recollective Site Administration area, i.e. https://yourdomain.recollective.com/admin
Navigate Settings and select Account Settings
- Scroll down to the Identity Providers section.
- Press the Add Provider button and select Okta from the menu
- Customize the name and appearance of this identity provider to ensure it is easily recognized.
- Press Next to proceed to the Credentials tab.
- Copy the Integration Domain and Integration Code from the credentials tab so they can be pasted into the Okta administration area in the next step.
- Open the Okta administration area and navigate to the Applications.
- Select Browse App Catalog.
- Search for and select Recollective
- Click the Add button on the Recollective application page as shown below.
- In Okta, the Add Recollective screen will appear
- Paste the Integration Domain copied from Recollective in Step 3.
- Click Done
- While still in Okta, navigate to the Sign On tab of the Recollective application
- Click Edit
- Paste your Integration Code from Step 3 and save
- Copy the Client ID and Client Secret so they can be pasted into Recollective in Step 7
- Return to Recollective and paste the Client ID and Client Secret values into the Credentials area of the Okta identity provider configuration dialog.
- Enter your Okta domain, i.e. https://your-domain.okta.com
- Click the Verify button to verify all the information provided
- Once the settings are verified, click Next Step to proceed to the Configuration tab.
Within Recollective, the Configuration tab allows restrictions to be imposed on the use of the identity provider and it determines how unrecognized user accounts should be handled.
- Under Role Usage, select which Recollective user roles should be permitted to use Okta as their identity provider. For example, switch off Panelists if Okta should only be available for to administrative roles.
- If Okta will be reserved for administrators, a Visibility section will appear. Admins will have to provide their email or username on a login form before the Okta integration will appear but you can use the visibility option to have Okta appear immediately to all site visitors.
- Under Account Handling, options are provided to control how Okta-authenticated users that are new to the Recollective site should be handled:
- The first option instructs Recollective to attempt a match by email address between the external Okta account and any existing Recollective accounts.
- The second option controls how Recollective should be behave if no account can be matched, or email matching is not enabled. In this case, you can have unrecognized accounts trigger the addition of a new Recollective account. Note that this option is only available if the identity provider is restricted to administrative roles. If enabled, the account created will be assigned the lowest user role enabled for the identity provider under Role Usage.
Once configured, an Okta login button will appear in two areas:
An Okta button will appear immediately on the login form if the integration is visible to panelists. The Okta button's label and colour can be customized (see Step 2 above).
If Okta is not enabled for panelists, registered administrators must provide their username or email on the login form before the Okta option will appear. If you wish to have it appear at all times, select " Expose this identity provider to all site visitors" in its Configuration dialog (see Step 8 above).
If Okta is reserved for administrators, Recollective will provide a " Login Link" that can be shared with new administrators to ensure they are presented with the Okta option immediately. The login link is useful if the integration is configured to perform automatic account provisioning for Okta-authenticated users upon their first visit to the Recollective site.
When a user is invited to register for a new Recollective account, the option to sign-in with Okta will appear if the Okta integration is enabled for the role being registered.
Recollective users can view and manage their external identity providers by accessing their personal Account Settings within Recollective. They can choose to unlink from Okta if they have an account password or have activated a separate identity provider.