Skip to main content

🔐 How to Configure SAML Single Sign-On (SSO) with Okta for AskNicely

Jomar
Updated

 

This guide walks you through setting up Single Sign-On (SSO) for your AskNicely account using SAML 2.0 with Okta. It also covers how to manage user provisioning in three different ways:

  • Without user provisioning

  • Users provisioned automatically, but roles assigned manually within AskNicely

  • Users provisioned automatically with location-based data access

🧰 Before You Begin

Make sure you have the following:

  • Administrator access to your AskNicely account

  • Administrator access to your Okta organization

📋 Prerequisites

AskNicely Information Needed

  • SAML 2.0 Endpoint (ACS URL): AskNicely provides a unique ACS URL

  • SP Entity ID (Audience URI): AskNicely will provide a unique entity identifier

  • Required Attributes: For certain provisioning scenarios, you will need to map attributes like email, name, role, and location to the corresponding fields in Okta

Okta Information Needed

  • IdP Metadata: Obtain the Okta Identity Provider Metadata URL. This includes the IdP Entity ID and SSO URL which you will configure in AskNicely
    SAML Settings

⚙️ Part 1: Base Configuration Steps in Okta

🔧 Create the AskNicely Application in Okta

  1. Log in to your Okta Admin dashboard

  2. Go to Applications > Applications

  3. Click Create App Integration

  4. Select SAML 2.0 and click Next

  5. In General Settings, name the app "AskNicely" and optionally upload a logo or add information

  6. Click Next

📑 Configure SAML Settings

  • Under “SAML Settings”:

    • Copy and paste the Single sign on URL from AskNicely’s SAML 2.0 configuration screen

    • Copy and paste the Metadata URL into the Audience URI (SP Entity ID)

    • Set Name ID format to EmailAddress

    • Set Application username to Email

      SAML Settings

  • Add the following Attribute Statements (leave “Name format” as “Unspecified”):

    • Name: askNicelyGroup, Value: appuser.askNicelyGroup

    • Name: askNicelyFilter.key, Value: appuser.askNicelyFilter_key

    • Name: askNicelyFilter.value, Value: appuser.askNicelyFilter_value

  • Leave other fields as defaults

  • Click Next
    Attribute Statements.png

✅ Feedback and Finish

  • Choose whether the app is for internal use and whether you're a customer or partner

  • Click Finish

🔗 Obtain the Okta IDP Metadata

  1. Go to the Sign On tab of the application

  2. Scroll to SAML Signing Certificates

  3. Copy the Identity Provider Metadata link

  4. In AskNicely, go to Settings > Users > SAML 2.0 and paste the link into the SAML Issuer URL field

  5. Click Import Metadata, then Save SAML 2.0 Settings

    SAML Page in AskNicely.png

👥 Assign the Okta Application to Users

  • Go to the Assignments tab

  • Click Assign to users or Assign to groups as needed

👤 Part 2: User Provisioning Options

🅰️ Option A: Without User Provisioning

Scenario: SAML is used only for authentication. Users must already exist in AskNicely and their roles and permissions are managed within AskNicely directly. If a user tries to log in and does not exist in AskNicely, they will not gain access.

Steps

  • Do not enable SCIM or Just-in-Time Provisioning in Okta

  • Ensure that Automatically Create New Users in AskNicely SAML 2.0 page is toggled off

  • Add users manually via Settings > Users in AskNicely. Assign roles, permissions, and data access manually here.

User Login

  • If a user has a matching email address in AskNicely, they can log in via Okta SSO

Result

  • No automated user creation

  • Roles and data access must be manually managed in AskNicely

🅱️ Option B: Users Provisioned Automatically, but Roles Assigned Manually in AskNicely

Scenario: Okta creates users in AskNicely on first sign-in, but Admins assign roles afterward.

Prerequisites

  • Toggle Automatically Create New Users to on in AskNicely’s SAML 2.0 settings

  • Ensure user attributes (email, name) are correctly mapped in OktaProfile & Attribute settings.

Steps

  • In AskNicely SAML 2.0 settings

    • Enable Automatically Create New Users

    • Select a default role for newly created users

  • In Okta:

    • Go to Applications > AskNicely > Provisioning (if SCIM is available) or Sign On (for attribute mapping).

    • Add the following SAML attribute statements:

      • Name: Email, Value: user.email

      • Name: FirstName, Value: user.firstName

      • Name: LastName, Value: user.lastName

User Signs In via SSO

When a new user, assigned to the AskNicely app in Okta, clicks the AskNicely tile in their Okta dashboard:

  • If the user doesn’t exist in AskNicely, the system will automatically create their account with default or base-level permissions.
  • The user will be assigned to the role preset.

Assign Roles in AskNicely

  • Admin edits the new user in Settings > Users to assign the correct role and permissions

Result

  • Automated user creation

  • Manual role assignment in AskNicely

🅾️ Option C: Users Provisioned Automatically with Location-Based Data Access

Scenario: For organizations where user roles and location-based data access must be determined automatically, you can use advanced attribute mappings from Okta to pass role and location information directly to AskNicely.

Prerequisites

  • Confirm with AskNicely Support your AskNicely plan supports SCIM or advanced JIT provisioning

  • Determine Okta attributes to map (e.g., department, groups, location)

  • You may need a predefined mapping schema from AskNicely (e.g., askNicelyGroup and askNicelyFilter_key attribute names) to ensure these values can be interpreted correctly.

Steps

  1. Configure Attribute Mappings in Okta

    • Go to Applications > AskNicely > Sign On

    • In the Attributed Statements (Optional) section, Add:

      • Name: askNicelyGroup, Value: appuser.askNicelyGroup

      • Name: askNicelyFilter.key, Value: appuser.askNicelyFilter_key

      • Name: askNicelyFilter.value, Value: appuser.askNicelyFilter_value
        Attribute Statements with Location-Based Data.png

  2. Configure App Attributes in Okta

    • Navigate to Directory > Profile Editor > AskNicely

    • Add:

      • askNicelyGroup as Group

      • askNicelyFilter_key as Group

      • askNicelyFilter_value as Person
        Profile Editor.png
        Profile Attribute Addition.png

  3. Configure App Mappings

    • Assign specific user values for:

      • AskNicely role (askNicelyGroup)

      • Filter key and value (askNicelyFilter_key, askNicelyFilter_value)
        App Mapping.png

  4. Assign Users/Groups and Test

    • Assign a test user with known role and location

    • When the user logs in:

      • AskNicely auto-creates their account

      • Assigns correct role based on the askNicelyGroup attribute received.

      • Limits access based on location filters based on the askNicelyFilter_key attribute.

  5. Validate and Adjust

    • Log into AskNicely as an Admin to confirm that role and permissions match

Result

  • Fully automated provisioning and access control based on Okta attributes

  • Reduces manual setup and supports scalable admin workflows

🧯 Troubleshooting Tips

  • User Not Found or Not Created:
    Ensure the user is assigned to the app in Okta and email matches AskNicely

  • Incorrect Roles or No Role Assigned:
    Double-check attribute mappings and schema names

  • Metadata or SAML Errors:
    Verify the ACS URL, Entity ID, and IdP metadata were entered correctly

🧩 Conclusion

By following the steps above, you can integrate AskNicely with Okta using SAML SSO and configure user provisioning to match your organization’s needs:

  • ✅ Basic SSO login without provisioning

  • ⚙️ Hybrid automation with manual role control

  • 🧠 Full automation with role and data access via attribute mapping

For further assistance, contact AskNicely Support.

Related to

Related articles