Okta
ThoughtFarmer integrates with Okta for SSO authentication and user management, allowing users to log in with a single set of credentials while ensuring their information syncs automatically from Okta to ThoughtFarmer.
If you have existing active users in ThoughtFarmer and plan to transition them to Okta, contact the ThoughtFarmer Helpdesk before proceeding.
Okta setup
Setting up Okta integration with ThoughtFarmer involves two main steps:
- Configure authentication – Enable SSO login to ThoughtFarmer via Okta.
- Set up user synchronization – Sync user data from Okta into ThoughtFarmer.
For cloud clients: Wait until your custom URL has been set up before proceeding with Okta configuration.
Configure Okta
-
In Okta, go to Applications > Applications in the left-hand menu.
- Click Create App Integration, select SAML 2.0 as the sign-on method, and click Next.
-
Under General Settings, enter a name and upload a logo for your Okta application.
Configure SAML
-
Under SAML Settings:
-
-
Single Sign-On URL: https://tfurl.com/auth/saml/assertionconsumerservice
- Replace https://tfurl.com with your ThoughtFarmer site URL.
- Check Use this for Recipient URL and Destination URL.
- Audience URI: thoughtfarmer
- Refer to the screenshot for additional required settings.
-
Single Sign-On URL: https://tfurl.com/auth/saml/assertionconsumerservice
-
Click Next, then Finish.
Assign users
- Open the Assignments tab in your Okta application.
- Click Assign, then assign users who should have access to ThoughtFarmer.
- Ensure that usernames and relevant fields are correctly mapped to the Okta application.
Retrieve SAML setup instructions
- Navigate to the Sign On tab.
- Click View SAML Setup Instructions to access the necessary configuration details for ThoughtFarmer.
Configure ThoughtFarmer
- Log in to ThoughtFarmer.
- Go to the Admin panel: Users & security section > Login provider page.
- Under External Providers, click Add New and select Custom SAML.
Fill in the login provider details
Under Settings:
- Hostname: Your ThoughtFarmer site URL.
- Login Provider complete hostname: Okta's Identity Provider Single Sign-On URL.
Under Custom SAML Configuration:
-
- External user store configuration: Select your Okta external user store (see the User sync setup section for details on creating it).
Advanced SAML options section
-
- Single Sign-On Binding Type: HTTP Redirect.
-
Sign Out URL: https://yourOktaApiUrl.com/login/signout
- Use Okta's Identity Provider Single Sign-On URL, but only keep the https://....com portion.
- Single Sign-Out Binding Type: HTTP Redirect.
- Certificate Details: Paste Okta's X.509 Certificate (including BEGIN CERTIFICATE and END CERTIFICATE).
-
Configuration Options: Enable the following checkboxes:
- Want SAML Response Signed
- Want Assertion Signed
- Issuer URL / Name: Okta's Identity Provider Issuer.
Click Save to complete the setup.
Set up user sync
ThoughtFarmer allows scheduled syncing of user data from Okta, enabling:
- Automatic user creation and deactivation in ThoughtFarmer.
- Profile updates based on Okta data.
- Group and security membership synchronization from Okta groups.
Configure Okta sync in ThoughtFarmer
- Go to the ThoughtFarmer Admin panel: Users & Security section > Employee Directory Connector page.
- Click Add new external user store.
- Enter a name (e.g., Okta).
- Select Okta from the Type dropdown.
- Click Save.
Set up Okta configuration in ThoughtFarmer
- Under the Configuration tab, update the following JSON settings with your Okta details:
{
"oktaApiToken": "okta_api_token_here",
"oktaApiUrl": "https://oktaapiurl",
"oktaAppName": "okta_application_name_here"
}
Retrieve Okta configuration values
-
Get the Okta API token
- In Okta, go to Security > API.
- Click the Tokens tab.
- Click Create Token and enter a name.
- Under API calls made with this token must originate from, select Any IP.
- Click Create Token.
- Copy the generated token and paste it into the oktaApiToken field in the Okta configuration in ThoughtFarmer.
-
Okta API URL
- In Okta, go to Applications > [your app] > Sign On.
- Click View SAML Setup Instructions.
- The Okta API URL is the Identity Provider Single Sign-On URL, but only the https://....com portion (omit everything after .com)
-
Okta App Name
- In Okta, go to Applications > [your app] > Sign On.
- Click View SAML Setup Instructions.
- Locate the Identity Provider Single Sign-On URL.
- In the URL, find the segment between /app/ and the next / (before /sso/saml). This is your Okta App Name.
- Do not include any additional alphanumeric ID that appears after this segment.
- Copy this value and paste it into the oktaAppName field in ThoughtFarmer.
-
Validate the Configuration
- In ThoughtFarmer, click Save Configuration.
- Navigate to the Synchronization Settings tab.
- Click Validate Credentials.
- Refresh the page and confirm the credentials are successfully validated.
Field mappings
To ensure accurate synchronization of user data, you can map additional fields in the Employee Directory Connector. This allows user attributes from Okta to be correctly imported into ThoughtFarmer.
For a detailed reference on which Okta attributes correspond to ThoughtFarmer fields, refer to the Identity Provider Field Mappings documentation.
This guide includes:
- Standard attributes that ThoughtFarmer supports
- Syntax guidelines for custom attributes
- Best practices for configuring field mappings.
Set up field mappings in Okta
To ensure user data syncs correctly between Okta and ThoughtFarmer, field mappings must be configured in both platforms. Note that Okta does not support syncing profile images.
Add Attributes in Okta
- In Okta, navigate to Directory > Profile Editor.
- Find your ThoughtFarmer application, and click Profile.
- Click + Add Attribute and create an attribute for each ThoughtFarmer profile field listed in the Field Mappings tab.
- Use the same name as the corresponding ThoughtFarmer profile field, but remove spaces and special characters.
- Use the same name as the corresponding ThoughtFarmer profile field, but remove spaces and special characters.
- Once all attributes are added, click Save.
Map Okta Attributes to ThoughtFarmer fields.
- Click Mappings in the Profile Editor.
- Select the Okta User to [Your ThoughtFarmer Application] tab.
- On the Okta user profile side, select the corresponding Okta profile field.
- On the ThoughtFarmer user profile side, choose the matching ThoughtFarmer field.
- Click the green Apply mapping on user create and update arrow.
- Click Save Mappings to apply the changes.
Test Okta sync and authentication
Run an on-demand sync
- In ThoughtFarmer, navigate to the Employee Directory Connector store (Admin panel: Users & security > Employee directory connector > Okta) > Synchronization Settings.
- Select the sync tasks you want to run under On-demand synchronization.
- Click Synchronize now.
- (Optional) Set up a Daily synchronization schedule to automate synchronization.
- We recommend running Bulk update users first to review the users being pulled in without modifying the current user list.
Verify the sync status
- Click the Synchronization Logs tab.
- The sync status should display Success once completed.
- The process may take several minutes depending on the number of users.
- Click View Details to review:
- Which users were synced.
- The specific user data pulled from Okta.
Test authentication
- Create a temporary Admin user:
- Add a regular user with Admin privileges for testing.
- Delete this account when no longer needed.
- This user serves as a backup in case of Okta authentication issues.
- Convert an existing ThoughtFarmer user to an Okta user:
- Navigate to the Admin panel > Users &Security section > User Management page.
- Search for the user.
- Click the gear icon next to their name and select Edit Account.
- Change Account Type to External.
- Enter the user’s Okta username and select the correct Okta store.
- Click Save.
Repeat Step 2 for any other existing users migrating to Okta.
If a user does not already exist in ThoughtFarmer, allow the sync to create the account.
For bulk updates, submit a Support request via the ThoughtFarmer Helpdesk.
Comments
0 comments
Please sign in to leave a comment.