SAML - Setting up OKTA as an Identity Provider for WorkRite

For OKTA's own documentation on which this guide is based, visit https://developer.okta.com/standards/SAML/setting_up_a_saml_application_in_okta/

How to set up OKTA as an Identity Provider (IdP) for WorkRite

Within WorkRite (all operations below require Client Administrator permisions)

  • Select Management System
  • Select Company from the left hand navigation menu
  •  Select the Security panel
  • Under SAML Single Sign-on, Status - Select "On" and click save changes
  • Select Generate SAML Metadata and save to a location on your computer. This is an .xml file you will need in a later step (by default this is named WORKRITE_METADATA.xml).

Within OKTA

  • Create new application

Select Web as the platform, and SAML 2.0 as the Sign on method

  • Click Create to proceed to "Configure SAML" step
  • Open the metadata xml file downloaded in the earlier step (by default this is named WORKRITE_METADATA.xml)
  • Populate Single sign on URL with the Location value, within the AsserionConsumerService element, e.g.
    Location="https://app.workrite.co.uk/securelogin/samllogin.aspx?id={guid}"
  • Populate the Audience URI (SP Entity ID) with the entityID value within the EntityDescriptor element, e.g.
    entityID="https://app.workrite.co.uk/{value}"
  • Select EmailAddress as the Name ID format
  • Select Okta username as the Application username
  • Click Show Advanced Settings
  • Change the option for Assertion Signature to Unsigned

The highlighted areas of the form are shown below with the correct values:

  • Click Next at the bottom of the form to proceed
  • Click Finish on the next page to return to the application settings page.
  • Click View Setup Instructions. This will open a new window.

  • Copy the Identity Provider Single Sign-On URL...

  • ...and paste into the WorkRite security panel field Identiy provider url (for SP-initiated redirect) and click save changes.

  • Back in Okta, copy the X509 certificate, including the -------BEGIN CERTIFICATE------...and ...-------END CERTIFICATE------- parts...

  • ...and in the security panel, click Update your X509 certificate button, paste into the text field that displays and click save changes

Some important points to note:

  • You will need to assign users to the application in order for them to be able to sign in.
  • You can use EITHER the IdP URL from Okta, or the SP URL from WorkRite to sign in to the application.
  • A user must exist in WorkRite with a corresponding Okta username in order to sign in to the application.
Follow