SAML/SSO with Okta

Account Holders have numerous security settings available in Litmus and options that protect users and content. Single sign-on (SSO) is a way to authenticate and log into an application with just one set of credentials, rather than having to set up multiple usernames and passwords across different platforms. You can configure SAML single sign-on between Litmus and your custom identity provider to simplify your users' access to Litmus. 

Before you start

  • Only the Account Holder can access and configure SAML settings in Litmus.
  • New user seat creation is not supported via SAML. Users must be created within Litmus first and then authenticated via your IdP prior to them logging into Litmus.
  • SSO with SAML can only be configured at the parent account level and is automatically applied to all subaccounts on your plan.

NOTE: SAML functionality is available with Litmus Enterprise plans

Start with Litmus settings

Sign in to Litmus, find Your Subaccounts in the left menu, then Manage security and finally the SAML tab in the popup window.

Slide the Enable SAML toggle to on.

If you would like to require your users to only access Litmus via SSO, you can check the box Enforce sign-in with SAML.

NOTE: When this option is active

  • The main Litmus account holder will still be able to sign in to Litmus using their Litmus credentials via the Litmus login screen. This is to prevent the main account holder from getting locked out of full account administrative functionality. Other users will be required to log in via SAML.
  • Password resets using the Forgotten Password? option on the regular Litmus login screen will be disabled for all users.

Select Okta as your IDP.

Animation showing settings and steps to enable SAML for Litmus Enterprise

You will need the Post-back URL and the Audience URI shown in the setup window to configure a new App for Litmus in Okta.

Closeup of the Post-back URL and Audience URI section of the SAML setup window

Continue in Okta

Log in to Okta as an administrator. Go to Admin, then from Applications in the left side menu, choose Applications and then Create App Integration.

Okta admin section showing left menu options

Select SAML 2.0 as the sign-on method and then Next.

Okta Create a new app integration window with SAML 2.0 radio button selected

Enter Litmus as the name of the new app. If you wish to upload a Litmus logo, you can do so in the optional App Logo section. Select Next when finished.

Create SAML Integration general settings modal showing app name and logo entry fields

Paste the Post-back URL and the Audience URI you saved earlier from Litmus into the Single Sign-on URL and Audience URI (SP Entity ID) fields respectively. Choose EmailAddress in the Name ID format dropdown.

Application username defaults to Okta username. Litmus expects the user's email in the assertion's subject statement to uniquely identify them and by default in Okta the "Okta username" is typically also their email address. If your organization has customized Okta usernames to not use email addresses, you may want to review this option and/or change it to user email. 

SAML Settings window in Okta section A

Once complete, click the Next button to save the app settings: 

SAML assertion preview window in Okta section B

When asked Are you a customer or partner? on the final setup screen, pick I'm an Okta customer adding an internal app, and then Finish. The app is now created.

Next, navigate to the Sign On tab and scroll down to the SAML Signing Certificates section to get the Identity Provider metadata URL. To do this, select the Actions dropdown, then on View IdP metadata.

SAML signing certificates window

This opens a new tab in the browser. The link in the address bar is your Identity Provider metadata URL. Save the URL to use later in your Litmus setup.

Browser address bar example

You can now add users or entire groups in the Assignments tab. Any users added will be able to see the Litmus app within their Okta dashboard.

Assignments tab in your new Litmus application in Okta Final settings

Log out of Okta and head back to the SAML settings page in Litmus.

Paste the Identity Provider metadata URL you saved from Okta into the Metadata URL field.

Metadata URL entry field in Litmus SAML setup window

Finish by choosing the Save SAML settings button.

Single sign-on will now be enabled. Any Litmus account users can now log in from the Litmus application within their Okta Apps view.

If you activated Enforce sign in with SAML, any users who try to log in to Litmus directly will be taken to Okta for authentication, and then redirected to Litmus with successful login.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us