Integrating Day.io with Okta allows employees to log in using the Okta SSO provider.
The process involves creating an application in Okta, configuring SAML with information from Day.io, and finally assigning users to the application to grant access.
This integration requires administrator permissions in both Okta and Day.io, as well as prior verification of the company's domain.
-
Prerequisites
Make sure you have administrative access to Okta.
Ensure that the company domain has already been verified in Day.io(review the steps in this article).
-
Create the integration in Okta
In the Okta admin panel, go to Applications.
Click Create App Integration.
In the login methods window, select SAML 2.0 and click Next.
-
Configure the application
On the configuration page, enter the Application Name as Oitchau.
Upload the Oitchau logo (it can be downloaded at this link).
Click Next.
-
Prepare the configuration in Day.io
In the Control Panel, go to Settings > SSO.
-
To generate the URLs needed for Okta, temporarily fill in the following fields:
Single Sign On URL:
https://oitchau.comCertificate:
123Email mapping:
email
Click Save.
Three fields will be displayed: Oitchau Assert Endpoint, Oitchau Audience, and Oitchau Certificate.
-
Copy information to Okta
-
In Okta, paste:
Oitchau Assert Endpoint in the Single Sign On URL field.
Oitchau Audience in the Audience URL field.
Oitchau Certificate in the certificate field; save the file as
oitchau-okta.pem.
Be sure to select Use this for Recipient URL and Destination URL.
-
-
Advanced settings and encryption
Click Show Advanced Settings.
In the Assertion Encryption section, check Encrypted to ensure encrypted communication.
-
Convert the
oitchau-okta.pemfile to DER format by running the following command:openssl x509 -in ./oitchau-okta.pem -out ./oitchau-okta.der -outform DER
Upload the oitchau-okta.der file in Okta.
-
Map attributes
-
Set the Attribute Statements:
Name:
emailName format:
unspecifiedValue:
user.email
Click Next.
-
-
Finish creation in Okta
On the final page, select I'm an Okta customer adding an internal app.
If you do not want to fill in information about Day.io, select This is an internal app that we have created.Click Finish.
-
Complete the configuration in Day.io
In the Oitchau application panel in Okta (the Sign On tab), locate Identity Provider Metadata and copy the URL.
Return to Day.io and paste this URL in the Issue URL field.
Clear the Single Sign On URL and Certificate fields.
Click Save.
-
Assign users in Okta
Still in Okta, open Assignments for the Oitchau app.
Choose Assign and assign the users or groups who can access Oitchau.
To grant access to everyone, select Assign to Groups and search for “everyone”; click Assign and then Done.
-
Test SSO
Make sure your personal account is also assigned so you can test the integration.
Tips and troubleshooting
When entering the temporary information in Day.io (step 4), it will be replaced by the final data after configuring Okta; don't worry.
If you get an encryption error, check if the certificate was correctly converted to DER.
Always test with a user account before granting access to everyone.
Best practices
Keep the oitchau-okta.pem and the DER version organized for future renewals.
Periodically review the users and groups assigned to the application.
Document every URL and certificate used in the process.
Frequently asked questions
Why do I need to fill in Single Sign On URL, Certificate, and Email mapping at the beginning? It is necessary so that Day.io automatically generates the Assert Endpoint, Audience, and Certificate fields that will be copied to Okta.
Do I need to encrypt the SAML assertion? Yes. Encryption ensures that the information exchanged between Okta and Day.io is protected.
Can I assign the application to all users at once? Yes. Use Assign to Groups and select “everyone” to grant access to the entire company.
Comments
0 comments
Article is closed for comments.