🔐 How to Configure SAML Single Sign-On (SSO) with Okta for AskNicely

 

For setup with multiple User Role filters, review the following article...

🔐 OKTA SAML 2.0 Setup for Multiple User Role Filters

 

📘 Introduction

This guide walks you through setting up SAML 2.0 Single Sign-On (SSO) for your AskNicely account using Okta. It also explains how to provision users via SAML in three different ways:

• Without user provisioning

• Users provisioned automatically, roles assigned manually

• Users provisioned automatically with role and location-based filters

Before getting started, make sure you have:

• Administrator access to your AskNicely account

• Administrator access to your Okta organization

---

🧰 Prerequisites

AskNicely Information Needed

• SAML 2.0 Endpoint (ACS URL) – Provided by AskNicely

• SP Entity ID (Audience URI) – Provided by AskNicely

• Required Attributes – You may need to map email, name, role, location, etc.

Okta Information Needed

• IdP Metadata URL – Available in Okta → needed for SAML configuration in AskNicely

• This includes:

  • IdP Entity ID

  • SSO URL

---

⚙️ Part 1: Base Configuration Steps in Okta

1. Create the AskNicely Application

• Log in to your Okta Admin Console.

• Go to Applications > Applications

• Click Create App Integration

• Choose SAML 2.0 and click Next

• In General Settings:

  • Name: AskNicely

  • Optional: upload logo or app details

  • Click Next

---

2. Configure SAML Settings

In AskNicely, navigate to Settings (cog) > Users > SAML 2.0

• Single sign-on URL: Copy and paste the Single Sign-On URL from AskNicely page 

• Audience URI (SP Entity ID): Copy and paste the Metadata URL from AskNicely page 

• Name ID format: EmailAddress

• Application username: Email

Add these Attribute Statements:

Leave other fields as default and click Next.

---

3. Feedback & Finish

• Choose internal app & user type as needed

• Click Finish

---

4. Obtain the Okta IdP Metadata

• Go to the Sign On tab in Okta

• Scroll to SAML Signing Certificates

• Copy the Identity Provider Metadata URL

• In AskNicely’s SAML 2.0 Settings page:

  • Paste into the SAML Issuer URL field

  • Click Import Metadata

  • Click Save SAML 2.0 Settings

---

5. Assign AskNicely App to Users

• Go to Assignments tab in Okta

• Click Assign to Users or Groups as needed

---

👥 Part 2: User Provisioning Options

---

🔹 Option A: No User Provisioning (Manual)

Users must already exist in AskNicely. If they don’t, SSO will fail.

Steps:

1. Do not enable auto-provisioning in Okta

2. In AskNicely SAML 2.0 settings, toggle OFF Automatically Create New Users

3. Manually create users in Settings > Users and assign roles

Result:

• Users only get access if pre-created in AskNicely

• Roles/data access managed in AskNicely manually

• When users attempt to log in via Okta, if they have a matching email address in AskNicely, SSO will grant them access.

---

🔹 Option B: Auto-Provision Users, Assign Roles Manually

AskNicely will create users automatically after first SSO login. Admins must manually assign user roles later.

Steps:

1. In AskNicely SAML 2.0 settings:

   • Toggle ON Automatically Create New Users

   • Choose default role for new users

2. In Okta go to Applications > AskNicely > Provisioning (if SCIM is available) or Sign On (for attribute mapping)

• Pass basic attributes via SAML:

  • email → user.email

  • firstName → user.firstName

  • lastName → user.lastName

3. User Signs In via SSO

   When a new user, assigned to the AskNicely app in Okta, clicks the AskNicely tile in their Okta dashboard:

   • If the user doesn’t exist in AskNicely, the system will automatically create their account with default or base-level permissions.
   • The user will be assigned to the role preset.

4. Admin must assign the proper role later in Settings > Users

Result:

• Seamless SSO login

• Role assignment still requires manual action in AskNicely

---

🔹 Option C: Auto-Provision with Role & Filter-Based Access

For organizations where user roles and location-based data access must be determined automatically, you can use advanced attribute mappings from Okta to pass role and location information directly to AskNicely.

Prerequisites:

• Confirm your AskNicely plan supports advanced provisioning

• Define which Okta attributes will map to:

  • Role (askNicelyGroup)

  • User-level filter key (askNicelyFilter.key)

  • Filter value (askNicelyFilter.value)

Steps:

1. Okta > Applications > AskNicely > Sign On tab:

   • Add Attribute Statements:

2. Okta > Directory > Profile Editor > AskNicely:

   • add the same three attributes from above, making sure to select:

     • Type Group for askNicelyGroup and askNicelyFilter.key

     • Type Person for askNicelyFilter.value

     • 

     • 

3. Configure App Mappings:

• Select the values to submit to AskNicely. This needs to be the Name of the User Role in AskNicely as well as the name (key) and value of the custom field that has been set up as the user level filter.
• You can specify a default value for the mappings (these can be overwritten when assigning Groups or Users to the App. You can also use an existing value from the users profile.

• 

4. Assign Users/Groups and Test:

• Assign a test user in Okta with a known role and location attribute. When the user logs into AskNicely for the first time:
• AskNicely creates the user automatically.
• The user’s role is assigned based on the askNicelyGroup attribute received.
• The user’s data access is restricted based on the askNicelyFilter_key attribute.

5. Validate in AskNicely:

• Log into AskNicely and confirm the newly created user’s role and location-based permissions reflect the values set in Okta. Adjust attribute mappings as needed.

Result:

• Fully automated user provisioning and access control

• Minimizes manual setup

---

🛠️ Troubleshooting Tips

---

🧩 Conclusion

With Okta + AskNicely SAML integration, you can:

• Streamline login with secure SSO

• Automate user provisioning

• Assign data filters and roles dynamically

Choose the provisioning level that works best for your organization. If you need help, please contact AskNicely Support.

---

🙋 Need Help?
If you’d like help configuring SAML or attribute mappings, reach out to our team. We’re happy to assist!