SAML/SSO with Okta
This section explains step by step how to configure SAML single sign-on (SSO) between Litmus and Okta as the identity provider.
Things to note
- New user seat creation is not supported via SAML. Users must be created within Litmus first and then authenticated via Okta prior to logging into Litmus.
- Only the Litmus account holder will be able to access and configure SAML settings on an account.
- SSO with SAML can only be configured at the parent account level and is automatically applied to all subaccounts on your plan.
- SAML functionality is available with a Litmus Enterprise plan.
How to set up SAML/SSO with Okta
1. Log into Litmus and select “Sub-accounts” from the side menu, then “Security” and finally the “SAML” tab in the settings.
2. Toggle on “Enable SAML”.
3. If you would like your users to only access Litmus via SSO with Okta, you can check the box “Force sign in with SAML”.
Note: When this option is active
- The main Litmus account holder will still be able to sign in to Litmus using their Litmus credentials via the Litmus login screen. This is to prevent the main account holder from getting locked out of full account administrative functionality. Other users will be forced to login via SAML.
- Password resets using the “Forgotten Password?” option on the regular Litmus login screen will be disabled for all users.
4. Select Okta as your IDP.
5. Take note of the Post-back URL and the Audience URI, as you will need these in step 9 when configuring a new App for Litmus within Okta.
6. Log in to Okta as an administrator. Go to Admin → Applications (side menu) → Applications (item) → Create App Integration.
7. Select SAML 2.0 as the sign-on method and click the “Next” button.
8. Enter "Litmus" as the name of the new app. If you wish to upload a Litmus logo (one can be found here) you can do so in the App Logo section. Click the “Next” button when finished.
9. Paste the “Post-back URL” and the “Audience URI” from Litmus (as shown in step 3) into the “Single sign-on URL” and “Audience URI (SP Entity ID)” fields respectively.
10. On the same screen, but a little bit further down the page, you'll see the Attribute Statements (optional) section. You want to add three “attributes” here:
Once added, click the "Next" button to save the app settings:
11. When asked "Are you a customer or partner? on the final set up screen pick, “I'm an Okta customer adding an internal app ", and press Finish. The app is now created.
12. Next, navigate to the Sign On tab and scroll down to the SAML Signing Certificates section to get the “Identity Provider metadata” URL. To do this, click on the "Actions" dropdown, then click on "View IdP metadata".
This opens a new tab in the browser. The link in the address bar is your “Identity Provider metadata” URL, which will be needed for step 15.
13. You can now add users or entire groups via the “Assignments” tab. Any users added will now see the Litmus app within their Okta dashboard.
14. Log out from Okta (you will want to test with a non-admin user in a moment) and head back to the SAML settings page in Litmus (NOTE: under Subaccounts/Security/SAML).
15. Paste the “Identity Provider metadata” URL (from step 12b) into the “Metadata URL” field.
16. Finish by clicking the “Save SAML settings” button.
Single sign-on will now be enabled. Any users of the Litmus account can now login in via the Litmus application within their Okta Apps view.
If “Force sign in with SAML” is also activated, any users who try to log in via the Litmus Login screen will be taken to Okta to authenticate, and then redirected to Litmus upon successful login.