You can configure SSO for Okta in the Enterprise Console. The first step is to create your CommCare HQ Application in Okta. After creating the Okta Application, you can configure SSO for Okta in the Enterprise Console. You need to be an Enterprise Admin to be able to do this.

In CommCare HQ

Edit Identity Provider

You can access Identity Provider settings in the Enterprise Console.

1. In your Project Space, navigate to the Enterprise Console.

Open

2. Navigate to the Manage Single Sign-On page in the side menu.

3. Choose an Identity Provider and click Edit.

Open

In Okta

Create your Application in Okta

1. Navigate to the Application page in Okta Administration.

2. Click on Add App. See documentation here to create an App in Okta.

3. Configure SSO in the Applications page.

Configure SSO in Okta

1. In the CommCare HQ Enterprise Console, navigate to the Edit Identity Provider page.

Retrieve the necessary information from the Application Details for Okta section. Populate the fields in Okta.

You will need:

2. Navigate to the Application configuration page in Okta. Under General Settings, scroll to the Login settings section.

3. Navigate to the Application configuration page in Okta. Under General Settings, scroll to the Login settings section.

4. Complete the Okta Application Details you retrieved from CommCare HQ in Okta.

5. Click Save. 

Configure SSO in CommCare HQ

You will need:

a. Client ID

b. Client Secret

c. Issuer URI

1. Navigate to the Application configuration page in Okta.

2. Under General Settings, scroll to the Client Credentials settings section.

3. Retrieve the Client ID and Client Secret from the Client Credentials section in Okta. Populate the fields in CommCare HQ.

4. Navigate to the Security page. Select the API section. Retrieve the Issuer URI (f).

5. Complete the information in CommCare HQ.

6. Click Save.

7. After configuring SSO with Okta, you need to set the SSO status to active. Edit the Okta configuration.

8. Scroll down to Single Sign-On Settings and set the SSO status to active.

9. Choose your preferred Login Enforcement. This setting only applies when Single Sign-On is Active.

10. Click Update Configuration. 

At least one user must be specified as exempt from signing in with SSO at the login screen. This user can always log in to CommCare HQ with a password in case of any difficulties with the SSO setup. You can do this in the SSO Exempt Users tab.

SSO Test Users tab

You can set Test Users in the SSO Test User tab. These users must log in with SSO from the homepage when your Identity Provider is Active, and Login Enforcement is set to Test Mode. All other users can log in with a regular username and password. This is useful for pilot testing SSO before rolling out changes to the entire organization.

Sign In with Okta SSO

If a user tries to log in to CommCare HQ and is authenticated with Okta, the password field will disappear, and the Okta SSO button will be visible.

If a user tries to log in to CommCare HQ and is not authenticated with Okta, they will be redirected to the Okta log-in screen.

New Users

If a user is authenticated with Okta but doesn’t exist in CommCare HQ, an account will be created for them when they sign in for the first time. They will see the generic landing page after logging in.

If they have an invitation to a Project, they will see the invitation on the landing page.

If a user tries to sign in to CommCare HQ and is not assigned to the Application in Okta, they will see this error message.