SAML/SSO with Okta
This section explains step by step how to configure SAML single sign-on (SSO) between Litmus and Okta as the identity provider.
Things to note
- New user seat creation is not supported via SAML. Users must be created within Litmus first and then authenticated via Okta prior to logging into Litmus.
- Only the Litmus account holder will be able to access and configure SAML settings on an account.
- SSO with SAML can only be configured at the parent account level and is automatically applied to all subaccounts on your plan.
- SAML functionality is available with a Litmus Enterprise plan.
How to set up SAML/SSO with Okta
1. Log into Litmus and select “Sub-accounts” from the side menu, then “Security” and finally the “SAML” tab in the settings.
2. Toggle on “Enable SAML”.
3. If you would like your users to only access Litmus via SSO with Okta, you can check the box “Force sign in with SAML”.
Note: When this option is active
- The main Litmus account holder will still be able to sign in to Litmus using their Litmus credentials via the Litmus login screen. This is to prevent the main account holder from getting locked out of full account administrative functionality. Other users will be forced to login via SAML.
- Password resets using the “Forgotten Password?” option on the regular Litmus login screen will be disabled for all users.
4. Select Okta as your IDP.
5. Take note of the Post-back URL and the Audience URI, as you will need these when configuring a new App for Litmus within Okta.
6. Log in to Okta as an administrator, go to Admin → Applications (menu) → Applications (item).
7. Click the “Add Application” button.
8. Click “Create New App” (under the “Can't find an app?” heading on the left).
9. Select SAML 2.0 as the sign-on method and click the “Create” button.
10. Enter Litmus as the name of the new app. If you wish to upload a Litmus logo (one can be found here) you can do so by clicking on the “Upload Logo” button, then click the “Next” button.
11. Paste the “Post-back URL” and the “Audience URI” from Litmus (as shown in step 3) into the “Single sign-on URL” and “Audience URI (SP Entity ID)” fields respectively.
12. On the same screen, but a little bit further down the page, you'll see the ATTRIBUTE STATEMENTS (OPTIONAL) section. You want to add three “attributes” here:
Once added, click the Next button to save the app settings:
13. When asked "Are you a customer or partner? on the final set up screen pick, “I'm an Okta customer adding an internal app ", and press Finish. The app is now created.
14. Next, navigate to the Sign On tab and save the “Identity Provider metadata” URL. To do this, right-click on the “Identity Provider metadata” link shown below the “View Setup Instructions” button and select “Copy Link Address” from the options.
15. You can now add users or entire groups via the “Assignments” tab. Any users added will now see the Litmus app within their Okta dashboard.
16. Log out from Okta (you will want to test with a non-admin user in a moment) and head back to the SAML settings page in Litmus (subaccounts/security/SAML).
17. Paste the “Identity Provider metadata” URL (from step 15) into the “Metadata URL” field.
18. Finish by clicking the “Save SAML settings” button.
Single sign-on will now be enabled. Any users of the Litmus account can now login in via the Litmus application within their Okta Apps view.
If “Force sign in with SAML” is also activated, any users who try to log in via the Litmus Login screen will be taken to Okta to authenticate, and then redirected to Litmus upon successful login.