Configure Single Sign-On with Okta

These steps will guide you through setting up the single sign-on functionality between Forumbee and Okta.

Download the Forumbee logo to add to Okta. (You will use it in a later step.)

Supported Features

The Okta/Forumbee SAML integration currently supports the following features:

• SP-initiated SSO
• IdP-initiated SSO

Configuration Steps

1. Login to your Okta administration area.

2. Navigate to Applications and select Add Application.

3. Select Create New App.

4. Select Web and SAML 2.0. Click Create.

 
 

5. In Step 1 General Settings: For App name enter “Forumbee” or the name you use to refer to your Forumbee community. Optionally, upload the Forumbee Logo image. Click Next.

 
 

6. In Step 2 Configure SAML you will be entering values from your Forumbee account.  Open another browser tab and navigate to your Forumbee account.

7. Login your Forumbee account as an administrator.

8. In Forumbee, navigate to Administration > Integrations > SAML:

 
 

9. Select SSO Settings. Copy the values into Okta according the following mapping:

Copy Audience and paste into the Okta field “Audience URI (SP Entity ID)”.

Copy SSO Consumer URL and paste into the Okta field “Single sign on URL”.

Optional step: configure Single Logout. With Single Logout, when a user logs out of Forumbee, it will also log them out of Okta in the same browser session. In Okta Show Advanced Settings enter the following:

• For Enable Single Logout check the option Allow application to initiate Single Logout.
• In Forumbee, copy Single Logout URL and paste into the Okta field “Single Logout URL”.
• In Forumbee, copy Audience and paste into the Okta field “SP Issuer”.
• In Forumbee, click Generate new certificate. Copy and paste the text into a plain text document.  In Okta, next to Signature Certificate click Browse and select the file. Then click Upload Certificate.

10. In Okta, complete the SAML Settings form.

• Set Name ID format to Unspecified.
• Set Application username to Okta username.
• Set Update application username on to Create and update.

 
Advanced settings (if Single Logout is enabled):
 
11. Under Attribute Statements configure the following attribute mappings:

• firstname > user.firstName
• lastname > user.lastName
• email > user.email
• id > user.id

Optional mappings:

• tagline > user.title
• avatar > user.profileUrl

12. Click Next.

13. In Okta Step 3 Feedback, for Are you a customer or partner? select I'm an Okta customer adding an internal app. Click Finish.

14. In the Okta Sign On tab select View Setup Instructions.

 
 

15. Copy the values from Okta and paste into Forumbee in Identity Provider Setup according to the following mapping:

• Copy Identity Provider Single Sign-On URL and paste into the Forumbee field “SSO Logon URL”.
• If you had configured Single Logout in step 9, there will be a field Identity Provider Single Logout URL shown here. If you see this field, copy and paste it into the Forumbee field “SLO Logout URL”.
• Copy Identity Provider Issuer and paste into the Forumbee field “Issuer URL”.
• Copy the X.509 Certificate and paste into the Forumbee field “Certificate”
• In Forumbee, click Save.
   

16. In Forumbee, select Enable to enable SAML login:

 
 

17. In Okta, assign users to the app. Click the “Assignments” tab and add users and/or groups.
 

Forumbee Login Options

In Forumbee in the SAML 2.0 integration page, select Login Options:

• Enforce SSO: If you would like to require all users to log in through Okta, check this option. However, to avoid getting locked out of your account, you should keep this option disabled until you have completed SSO configuration and have verified that it is working correctly. 
• IP address range: If you would like users from specific IP addresses to be required to log in through Okta, check this option. 
• Show SSO option on Forumbee login form: This option is enabled by default. It provides a button on the Forumbee log in page to log in through SSO. You can change the button label here. 
• Allow users to change their own display name: With this option, users can change their display name in Forumbee to something other than their display name in Okta.

Advanced Options

Group assignment

Users can be added to Forumbee groups based on their Okta group memberships. This is done through the use of an Okta Attribute Statement.

Single group assignment

If you have just one group to assign, follow these steps: 

1.     In Okta, edit the SAML integration. On step 2 “Configure SAML” under Attribute Statements click Add Another. 

2.     Set Name to “groups”. Set Value to:

isMemberOfGroupName("Mods") ? "Mods" : "" 

where the first “Mods” is the name of the group in Okta, and the second “Mods” is the name of the group in Forumbee.

Or use this value to also remove the user from a group if they are not a member of the Okta group:

isMemberOfGroupName(“Mods") ? "Mods" : "!Mods"

Multiple group assignment

If you have multiple groups to assign, follow these steps: 

1. In Okta, edit the SAML integration. On step 2 “Configure SAML” under Attribute Statements click Add Another. 

2. Set Name to “groups”. Set Value to:

Arrays.flatten(isMemberOfGroupName("Mods") ? "Moderators" : "",isMemberOfGroupName("Execs") ? "Executives" : "")

In this example there are two group assignments:

• “Mods” is the Okta group whose users will be added to the Forumbee group “Moderators”. 
• “Execs” ” is the Okta group whose users will be added to the Forumbee group “Executives”.

Optional: Use the !groupname notation in the expression as shown here to remove the user from a Forumbee group if they are not a member of the Okta group:

isMemberOfGroupName(“Mods") ? "Mods" : "!Mods"

Role assignment

Users can be assigned an elevated role of moderator based on their Okta group membership. 

1. In Okta, edit the SAML integration. On step 2 “Configure SAML” under Attribute Statements click Add Another. 

2. Set Name to “role”. Set Value to:

isMemberOfGroupName("OktaModerators") ? "1" : "" 

where “OktaModerators” is the name of the group in Okta.