Setting up Single Sign-On (SSO) for ScreenCloud using Okta streamlines the login process, enhancing security and user experience by allowing users to access multiple applications with a single set of credentials. This guide will walk you through integrating Okta as your SAML 2.0 identity provider with ScreenCloud, ensuring a seamless and efficient setup. Follow along to simplify your organization's authentication and provide a more secure digital signage solution.
Further on, we will cover System for Cross-domain Identity Management (SCIM), a protocol for automating the exchange and synchronization of user identity information between identity providers and service providers. Without accessing ScreenCloud’s account settings, you can perform operations like creating, updating, and deleting users and groups.
Before you begin, please note that setting up SSO and SCIM for ScreenCloud requires the ScreenCloud Enterprise subscription. In addition, you need to be an Admin of your Okta account.
With your SSO feature ready and activated in your ScreenCloud account, let’s begin.
1. Create your ScreenCloud application in Okta
1.1. In your Okta account and home screen, click Admin to access the Admin Console
1.2. Head to Applications > Applications and click Create App Integration
1.3. Select the sign-in method SAML 2.0.
1.4. In the General Settings, provide a name for your app and click Next. At this point, you can add an image or icon for the app (optional).
1.5. You will now be in the Configure SAML settings, where you need to apply SSO links from your ScreenCloud account.
1.6. In another browser window, open your ScreenCloud account’s Account Setting > Organization and click the Single-Sign-On tab.
1.7. Copy the ACS URL from ScreenCloud and insert that into Okta in the Single Sign On URL space.
1.8. Copy the Audience URL from ScreenCloud and insert it into Okta in the Audience URI (SP Entity ID) space.
1.9. For Name ID Format, select EmailAddress.
1.10. For Application Username, select Email.
1.11. Under Attribute Statements, write in email for Name, select Unspecified for Name format, and select user email for Value.
1.12. With your SAML Settings applied, scroll down and select Next.
1.13. Under Feedback, tick the box for “This is an internal app that we have created” and click Finish.
1.14. Your Okta app for ScreenCloud SSO is now created.
2. Connect your Okta ScreenCloud app and activate SSO
2.1. Click the Sign On tab for your Okta ScreenCloud SSO app and click More details.
2.2. Copy the Sign On URL from Okta to the Identity Provider Sign In URL in ScreenCloud.
2.3. Copy the Sign-out URL from Okta to the Identity Provider > Sign-out URL in ScreenCloud.
2.4. Download the Signage Certificate from Okta, and upload this to X509 Signing Certificate in ScreenCloud.
2.5. Click Save changes for your ScreenCloud Single Sign On settings.
2.6. Your ScreenCloud SSO setup is now complete.
3. Set up SCIM for your ScreenCloud SSO Okta app
3.1. In the General tab for your ScreenCloud app in Okta, click Edit.
3.2. Tick the box for Enabled SCIM provisioning.
3.3. This will create a Provisioning section for your app.
3.4. Head to your ScreenCloud account, find the Provisioning Settings, and copy the SCIM Tenant URL
.
3.5. Insert the SCIM Tenant URL from ScreenCloud under SCIM connector base URL in Okta.
3.6. For the Unique identifier field for users, write email.
3.7. For Supported provisioning actions, enable Push New Users, Push Profile Updates, and Push Groups.
3.8. For the Authentication Mode, select HTTP Header.
3.9. From your ScreenCloud account, click Generate SCIM API Token, and copy the API token generated. Paste the API token under HTTP Header and Authorization in Okta.
3.10. Run Test Connector Configuration. Your results should appear as below.
3.11. Once this is complete, you can click Save for the provisioning details for your ScreenCloud SSO app in Okta.
3.12. When this is saved, you will have three new setting options under the provisioning section of your SSO app.
3.13. Click To App and enable the options for Create Users, Update User Attributes Deactivate User, and hit Save.
3.14. Your ScreenCloud SSO app in Okta is now set up for SCIM, and you can now create users in ScreenCloud directly through Okta.
4. Add users to ScreenCloud with SCIM for Okta
Before you run through this step, make sure you have a Group created in Okta. To learn about Okta groups, please see Okta's Manage groups documentation.
4.1. In your ScreenCloud SSO and SCIM app, head to your Assignments section.
4.2. Click Assign, and then Assign to Groups. If you wish to assign one user, you can use Assign to People instead.
4.3. Click Assign, review the information, and click Save and go back. The group will be labeled as Assigned, and you can finish this step by hitting Done.
4.4. The group will be listed under Assignments
. If you have assigned a user, you will instead see the assigned user listed under People.
4.5. Head to Push Groups, and select Refresh App Groups. If you assigned just an individual from People, you can skip ahead to step 4.9.
4.6. Once the refresh is complete, click the Push Groups button and select Find groups by name.
4.7. Search for and select the group you previously assigned, and hit Save.
4.8. Wait for the Push Status of the group to update from Pushing to Active
.
4.9. Head back to To App under Provisioning and scroll down to find and click the Force Sync action.
4.10. Your assigned individual or group will now be provisioned to your organization's ScreenCloud account.
4.11. Please note that you will need to assign user permissions in ScreenCloud to your newly created users. However, if the group you added in Okta has the same name as an existing group in ScreenCloud, the users will be added to the existing group in ScreenCloud and the permissions of the group will be applied.
To learn how to create groups and apply permissions to users in ScreenCloud, please see People, Groups, and Spaces: Managing Users & Teams With ScreenCloud.
5. How to use Okta to remove a user from ScreenCloud
5.1. In your Okta Admin Console, under Applications, find your ScreenCloud SSO application.
5.2. Click the Assignments tab.
5.3. Under assignments, click the X next to a group or individual under People or Groups that you wish to remove.
5.4. For a Group, you will need to head to Push Group and deactivate or unlink the group before the next step.
5.5. Next, head to Provisioning > To App and scroll down to find and action Force Sync, which will remove the users and the group from ScreenCloud.
5.6. For confirmation, check your ScreenCloud organization's Account Settings > People page. The removed user or group should no longer exist.
6. How to sign in to ScreenCloud through Okta
When your new user is created in ScreenCloud through Okta, there are two ways they can log in.
i) By using the Sign-On URL under Account Settings > Organization > Single-Sign On in your ScreenCloud account.
ii) Or by using your account's slug name with the ScreenCloud SSO login auth.screencloud.com. The slug name can be found under Account Settings > Organization > Single-Sign On.