Single Sign-On — Okta

Updated

SearchStax Site Search offers Single Sign-On (SSO). This lets your users log into SearchStax apps with a single ID and password that works across multiple software systems.

Note: This is an optional feature you can add to your SearchStax account. Contact SearchStax for details.

We use the open standard Security Assertion Markup Language (SAML). This allows identity providers (IdP) to pass authorization credentials to service providers (SP). This page shows how to use Okta to implement SSO for SearchStax.

Once SearchStax enables SSO for your account and you set up a domain, the admin can see the configuration options in the User Preferences screen of the Site Search Dashboard.

The following steps explain how to set it up for Okta.

Instructions

Once SearchStax enables SSO for your account and you set up a domain, the SSO options appear in the My Profile screen of the My Account menu:

Account settings page showing two-factor authentication options and single sign-on configuration with setup button.

Click the Set Up Single Sign-On button. This takes you to a screen with configuration URLs and feature options. You'll need to refer to this screen while setting up the SSO profile with the Identity Provider.

SAML configuration form displaying Assertion Consumer Service URL, Metadata URL, authentication options, and IdP entity URL fields with Enable, Allow Em...

This screen contains the following fields and options:

  • Assertion Consumer Service (ACS) URL: Note that the URL includes your SSO domain (called mydomain in the following discussion).
  • Metadata URL: SearchStax metadata endpoint.
  • Enable Checkbox: If checked, SSO is enabled for this account.
  • Assertion Responses Signed: Use the droplist to indicate whether assertions and/or responses should be signed.
  • Allow Email Password Login Checkbox: If checked, permits login by email/password in addition to SSO.
  • Auto Create Users Checkbox: Should a new user account be created the first time a user logs in?
  • IDP Entry URL: Identity provider URL.
  • Metadata URL: The SAML 2 Metadata URL.
  • Sign-In URL: The URL used for signing into the SAML Identity Provider.
  • Sign-Out URL (Optional): The URL shown after a successful sign-out.

Okta Setup

1. You need to be an Admin in Okta to set up the SearchStax Application.

2. Go to the Okta Admin Console. Click Applications, then select "Create App Integration". Choose "SAML 2.0" and click "Next".

Dialog for creating a new app integration with four sign-in method options: OIDC, SAML 2.0 (selected), SWA, and API Services, each with descriptions of ...

3. Enter "SearchStax Studio" as the app name and click "Next".

Step 1 of the SAML integration setup showing the General Settings form with app name, logo upload, and visibility options.

4. Configure the SAML Settings with the following information:

  • Set the "Single sign on URL" as the Assertion Consumer Service URL provided in Site Search.
  • Check "Use this for Recipient URL and Destination URL".
  • Set the "Audience URI" as the Metadata URL provided in Site Search.
  • Set the "Name ID format" as "Unspecified".
  • Set the "Application username" as "Email".
  • Set the "Update application username on" as "Create and update".
SAML configuration panel showing Single Sign-On URL, Audience URI, and other identity provider settings with red arrows indicating which fields to popul...

5. Click "Show Advanced Settings". Set "Response" and "Assertion Signature" to "Signed". Below is a sample of Advanced Settings:

SAML configuration settings panel showing signature algorithms, encryption options, and Single Logout enablement for Okta integration.

If you change the response and assertion settings, you'll also need to change the Site Search "Assertions responses signed" setting to match.

Dropdown menu showing

6. The next section provides Attribute Statements for mapping Okta fields to SearchStax. Below are sample mappings that we defined:

Configuration form for attribute statements showing user attribute mappings including givenname, surname, emailaddress, and role with corresponding name...

The above example assigns the role of "Admin" to all users in Site Search. However, if you have a different field in Okta that maps the role, you can assign that field instead.

Click "Next".

7. Select "I'm an Okta customer adding an internal app" and click "Finish".

Feedback step of Okta SSO configuration showing customer type selection and app integration details form.

8. Click the "View SAML setup instructions" button displayed to the right.

Sign On settings page showing SAML 2.0 configuration options including sign-on methods, credentials details, and SAML signing certificates with an activ...

9. Copy the "Identity Provider Single Sign-On URL" and set it as the Login URL in Site Search.

10. Copy the "Identity Provider Issuer" and set it as the Idp entity URL in Site Search.

11. In the Optional section, copy the XML titled "Provide the following IDP metadata to your SP Provider". Host it on a URL. You can optionally send it to us and we'll host it for you. Copy this hosted IDP metadata URL and set it as the Metadata URL in Site Search.

Identity provider configuration form showing single sign-on URL, issuer, X.509 certificate, and metadata fields with red arrows indicating required info...

12. Set SSO to "Enabled".

While you're testing, also check "Allow email password login" (You can turn this off once SSO testing is complete).

Login Using SSO

On https://searchstudio.searchstax.com/, click "Sign-In using your ID provider".

Site Search sign-in form with email and password fields, plus an alternative single sign-on option using an ID provider.

Enter the subdomain.

Searchstax Site Search sign-in page with subdomain field highlighted in red and continue button below.

Click Continue. You'll be taken to the Okta Sign-in page. After you authenticate, you'll return to your SearchStax Site Search Dashboard.

SSO + Two-Factor Authentication

A user can have both SSO and Two-Factor authentication set up. The 2FA settings for a user apply to all accounts that the user can access.

However, for the account with SSO Setup, SearchStax 2FA settings won't apply while logging in. In that case, set up 2FA at the SSO Provider.

Articles in this section