SAML/SSO with Okta
Account Holders have numerous security settings available in Litmus and options that protect users and content. Single sign-on (SSO) is a way to authenticate and log into an application with just one set of credentials, rather than having to set up multiple usernames and passwords across different platforms. You can configure SAML single sign-on between Litmus and your custom identity provider to simplify your users' access to Litmus.
Before you start
- Only the Account Holder can access and configure SAML settings in Litmus.
- New user seat creation is not supported via SAML. Users must be created within Litmus first and then authenticated via your IdP prior to them logging into Litmus.
- SSO with SAML can only be configured at the parent account level and is automatically applied to all subaccounts on your plan.
NOTE: SAML functionality is available with Litmus Enterprise plans
Start with Litmus settings
Sign in to Litmus, find Your Subaccounts in the left menu, then Security and finally the SAML tab in the popup window.
Slide the Enable SAML toggle to on.
If you would like to require your users to only access Litmus via SSO, you can check the box Enforce sign-in with SAML.
NOTE: When this option is active
- The main Litmus account holder will still be able to sign in to Litmus using their Litmus credentials via the Litmus login screen. This is to prevent the main account holder from getting locked out of full account administrative functionality. Other users will be required to log in via SAML.
- Password resets using the Forgotten Password? option on the regular Litmus login screen will be disabled for all users.
Select Okta as your IDP.
You will need the Post-back URL and the Audience URI shown in the setup window to configure a new App for Litmus in Okta.
Continue in Okta
Log in to Okta as an administrator. Go to Admin, then from Applications in the left side menu, choose Applications and then Create App Integration.
Select SAML 2.0 as the sign-on method and then Next.
Enter Litmus as the name of the new app. If you wish to upload a Litmus logo, you can do so in the optional App Logo section. Select Next when finished.
Paste the Post-back URL and the Audience URI you saved earlier from Litmus into the Single Sign-on URL and Audience URI (SP Entity ID) fields respectively. Choose EmailAddress in the Name ID format dropdown.
Application username defaults to Okta username. Litmus expects the user's email in the assertion's subject statement to uniquely identify them and by default in Okta the "Okta username" is typically also their email address. If your organization has customized Okta usernames to not use email addresses, you may want to review this option and/or change it to user email.
Once complete, click the Next button to save the app settings:
When asked Are you a customer or partner? on the final setup screen, pick I'm an Okta customer adding an internal app, and then Finish. The app is now created.
Next, navigate to the Sign On tab and scroll down to the SAML Signing Certificates section to get the Identity Provider metadata URL. To do this, select the Actions dropdown, then on View IdP metadata.
This opens a new tab in the browser. The link in the address bar is your Identity Provider metadata URL. Save the URL to use later in your Litmus setup.
You can now add users or entire groups in the Assignments tab. Any users added will be able to see the Litmus app within their Okta dashboard.
Log out of Okta and head back to the SAML settings page in Litmus.
Paste the Identity Provider metadata URL you saved from Okta into the Metadata URL field.
Finish by choosing the Save SAML settings button.
Single sign-on will now be enabled. Any Litmus account users can now log in from the Litmus application within their Okta Apps view.
If you activated Enforce sign in with SAML, any users who try to log in to Litmus directly will be taken to Okta for authentication, and then redirected to Litmus with successful login.