The following instructions are the required steps necessary to integrate Okta IdP functionality with AnyClip Single Sign-On capabilities. Once these steps are implemented, end-users relying on Okta as an IdP will be able to sign in to AnyClip using SSO.
Please note setting up Okta Single Sign-On involves setup tasks in both the AnyClip and Okta Administration user interfaces. The procedure detailed below includes instructions for both, meaning that you need both user interfaces before you.
Okta Account Administrator View
Open the Okta Developer Console. For more information about the console, see Okta’s Redesigned Admin Console and Dashboard
In the navigation menu, expand Applications, and then choose Applications.
Choose Create App Integration Choose Single sign-on → SAML → Domain and URL
In the Create a new app integration menu, choose SAML 2.0 as the Sign-in method. Choose Next.
On the Create SAML Integration page, under General Settings, enter a name for your app.
Under General→SAML Settings→Edit→Configure SAML
Go to AnyClip and click the Gear icon in the main AnyClip navigation bar. Choose Single Sign-On. The following appears.
Click the Add button and choose Okta. The following profile setup dialogue appears. Create a profile by adding a unique name in the Profile Name field.
Copy the Single Sign-On URL and Audience URI (SP Entity ID) as shown into the SAML Settings in your Okta account. The URL/URI to be copied are shown in the screenshot below
Under ATTRIBUTE STATEMENTS (OPTIONAL) add a statement with the following information: for Name, enter the SAML attribute name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. For Value, enter user.email.
For other attributes, you intend to map, follow the logic in step 1 above.
On the Assignments tab for your Okta app, for Assign, choose Assign to People. Choose Assign next to the user that you want to assign. Note: If this is a new account, the only option available is to choose yourself (the admin) as the user.
Choose Save and Go Back. Your user is assigned. Choose Done.
On the Sign On tab for your Okta app, find the SAML Signing Certificates. Click on Actions→View IdP metadata→copy the url from the newly opened window
Paste the IdP Metadata URL in the AnyClip Okta administration dialogue shown below
AnyClip Account Administrator View - Okta Profile Setup
The following section describes additional setup tasks required in the AnyClip Okta Single Sign-On Administration page. Proceed as follows:
If the AnyClip Okta profile administration window is not before you, navigate to the main AnyClip navigation menu go to the gear icon and choose Single Sign-On.
Once you choose the SSO menu option, the main SSO Profiles page is displayed where you can add new SSO profiles and edit existing profiles. To edit an existing SSO Profile, click on it. The instructions for editing profiles correspond to those below regarding creating new profiles. To activate or deactivate a profile, choose the proper setting in the Actions menu.
To create a new SSO profile click Add and select your organization's IdP, in this case Okta. The SSO Profile setup screen appears:
In this case, choose the Okta SSO profile you already created above. In the dialogue screen shown above, note the toggle Allow users to use any domain when they use Single Sign On. This toggle option allows you to decide whether users can or cannot use any domain when they use SSO. Note that if you set another profile and chose to allow users to use any domain to login, this toggle will be disabled,
In the same dialogue shown above, you set the domain names you want to enable with Single Sign-On. For example if an organization has three domains: anyclip.com, anyclip.uk and anyclip.ai.uk, and users from all domains require SSO, then set up each domain in a different line. Enter the SSO Profile Name and the valid organizational Domain name. Use Add Domain to add multiple domains. Once the profile name and domain name(s) are entered, click Save to create the profile.
In the image above you will notice that the toggle "Only existing users can use Single Sign-On" is selected. This setting is selected by default and means that only existing users in AnyClip will be able to use SSO for the selected profile.
If you want an SSO profile that allows logging in of users who at the time of login, are NOT users in the platform, deselect this toggle. When the toggle is off, users that are successfully authenticated will be added as users in AnyClip with the following credentials: first name, last name, and email. Deselecting the foregoing toggle will cause the following additional setup fields to appear:
You can either set default hubs to which new users signing in to the system using SSO will be assigned or create custom rules which will automatically determine the hub assignment of each user. This is done using the field named Assign New Users to Hubs. In order to create custom rules, click Add
In the screen above enter the rule Name and then rule Attributes. Attributes are key and value pairs. You may enter more than one attribute. A logical AND operator exists between any two sequential attributes. Lastly, select one or more Hubs you want to associate with the rule and click Save. Once the rule is created you will be navigated back to the main SSO Profile screen where you need to click Save again
End-User View
The following presents end-users' view as they log into the system using SSO:
Users who wish to log in AnyClip using SSO choose Sign in with Single Sign-On
The Okta login screen will appear. When the user enters his/her relevant organizational credentials, such user will be logged into the platform. If the user enters the wrong credentials, an error message appears instead.
