Setting up Okta Single Sign-On
Okta is a third-party authentication service that enables users to be automatically logged in to GoodData seamlessly. When you implement Okta in your GoodData domain, users of your workspaces can access GoodData without using GoodData-specific credentials.
For more information on Okta, see http://www.okta.com. For more information on GoodData and SSO, see Single Sign-On Overview.
GoodData uses the SAML protocol for exchanging information with Okta.
This article provides instructions for configuring Okta authentication for your GoodData domain.
This article refers to various elements of the Okta user interface and is based on the version of the Okta application as of August 2, 2019. Since that date, the Okta application may have changed. If you need help with navigating through the Okta user interface, see the Okta user documentation.
Configure SSO
Access the API endpoints through your GoodData subdomain https://{your-subdomain-name}.on.gooddata.com
{style=""}. For example, https://example.on.gooddata.com
{style=""}. If your workspaces use whitelabeling, use your domain address. For example, https://example.com
{style=""}.
Steps:
Go to your Okta account, and create a new application for GoodData. When prompted to select the application type, select SAML 2.0.
If you need help with navigating through the Okta user interface, see the Okta user documentation.Navigate to the SAML 2.0 SSO setup instructions for your application, and do the following:
- Download the public certificate.
- Copy the URLs for the external key and redirect login.
Determine which SSO scenario you are configuring and follow the relevant instructions:
- If configuring for a Service Provider-initiated scenario, see SAML SSO with GoodData - Service Provider-initiated Scenario.
- If configuring for an Identity Provider-initiated scenario, see SAML SSO with GoodData - Identity Provider-initiated Scenario.
This completes the configuration process. You can now start provision users.
Embedding Options
You can enable Okta SSO for embedded dashboards.
In the Identity Provider-initiated scenario, when Okta SSO setup is complete, Okta displays a URI to authenticate and redirect you to the RelayState URI, which you have specified when configuring the Okta SAML 2.0 application. By default, the Okta application authenticates and redirects you to your GoodData dashboard.
To set up a redirect to an embedded dashboard instead, use the redirect login URL as a redirect URI in the iframe embedded in your web application. You can find it in the OKTA user interface.
Your iframe can look similar to the following:
<iframe frameborder="0" src="{your_redirect_uri_defined_in_okta}" width="100%" height="790px"></iframe>
Now, Okta authenticates you, and the dashboard defined by the RelayState URI is displayed.