This guide walks you through setting up Single Sign-On (SSO) for your AskNicely account using SAML 2.0 with Okta. It also covers how to manage user provisioning in three different ways:
- Without user provisioning
- Users provisioned automatically, but roles assigned manually within AskNicely
- Users provisioned automatically with location-based data access
Before you begin, ensure you have the following:
- Administrator access to your AskNicely account.
- Administrator access to your Okta organization.
Prerequisites
AskNicely Information Needed:
- SAML 2.0 Endpoint (ACS URL): AskNicely provides a unique ACS URL
- SP Entity ID (Audience URI): AskNicely will provide a unique entity identifier.
- Required Attributes: For certain provisioning scenarios, you will need to map attributes like
email
,name
,role
, andlocation
to the corresponding fields in Okta.
Okta Information Needed:
- IdP Metadata: Obtain the Okta Identity Provider Metadata URL. This includes the IdP Entity ID and SSO URL which you will configure in AskNicely.
Part 1: Base Configuration Steps in Okta
Create the AskNicely Application in Okta
-
- Log in to your Okta Admin dashboard.
- Go to Applications > Applications.
- Click Create App Integration.
- Select SAML 2.0 and click Next.
- In the General Settings, name the app
AskNicely
and add any optional AskNicely logo or information. Click Next.
Configure SAML Settings
- Under “SAML Settings”, copy and paste the “Single sign on URL” from
AskNicely SAML 2.0
configuration screen. - Copy and paste “Metadata URL” from
AskNicely SAML 2.0
configuration screen to the “Audience URI (SP Entity ID)”. - Set
Name ID format
toEmailAddress
. - Set
Application username
toEmail
. -
Add the following
Attribute Statements
(leave “Name format” as “Unspecified”)- Name: askNicelyGroup, Value: appuser.askNicelyGroup
- Name: askNicelyFilter.key, Value:appuser.askNicelyFilter_key
- Name: askNicelyFilter.value, Value: app user.askNicelyFilter_value
- Leave other fields as defaults.
- Click Next.
Feedback and Finish
-
- Choose whether the app is for internal use and whether you are a customer or partner.
- Click
Finish
.
Obtain the Okta IDP metadata
- Once the application is created, go to the
Sign On
tab. - Scroll down to
SAML Signing Certificates
and locate theIdentity Provider Metadata
link. - Copy the metadata URL and paste to
SAML Issuer URL
input box on the AskNicely SAML configuration page (Settings > Users > SAML 2.0) - Click
Import Metadata
, then clickSave SAML 2.0 Settings
.
Assign the Okta Application to Users
-
- You must assign the AskNicely application to users or groups in Okta. This determines who can access AskNicely via SSO.
- Go to
Assignments
tab and clickAssign
to users or groups as needed.
Part 2: User Provisioning Options
Option A: Without User Provisioning
In this scenario, you only use SAML for authentication. Users must already exist in AskNicely, and their roles and permissions are managed within AskNicely directly. If a user tries to log in and does not exist in AskNicely, they will not gain access.
Steps
-
Do Not Enable SCIM or Just-in-Time Provisioning in Okta.
Ensure that
Automatically Create New Users
in AskNicely SAML 2.0 page is toggled off. -
Manage Users in AskNicely.
Add users manually in AskNicely configuration page via **
Settings** > **Users**
. Assign roles, permissions, and data access manually here. -
User Login
When users attempt to log in via Okta, if they have a matching email address in AskNicely, SSO will grant them access.
Result
- No automated user creation.
- Roles and data access must be configured directly in AskNicely.
Option B: Users Provisioned Automatically, but Roles Assigned Manually in AskNicely
In this scenario, you let Okta create users automatically in AskNicely when they sign in for the first time, but you still assign roles manually in AskNicely afterward.
Prerequisites
- Make sure AskNicely SAML 2.0 configuration page,
Automatically Create New Users
is toggled on (contact AskNicely support if needed). - Your users’ attributes (at minimum
email
andname
) are correctly mapped in the Okta application’sProfile & Attribute
settings.
Steps
-
In the AskNicely SAML 2.0 settings,
- enable
Automatically Create New Users
. - select a default role for
Newly registered users will be created with the role
.
- enable
-
Okta Attribute Mapping
In Okta, go to Applications > AskNicely > Provisioning (if SCIM is available) or Sign On (for attribute mapping).
- Ensure that the
email
andfirstName
,lastName
and other attributes are passed via SAML. - For SAML attribute statements, you add:
- Name:
Email
Value:user.email
- Name:
FirstName
Value:user.firstName
- Name:
LastName
Value:user.lastName
- Name:
- Ensure that the
-
User Signs In via SSO
When a new user, assigned to the AskNicely app in Okta, clicks the AskNicely tile in their Okta dashboard:
- If the user doesn’t exist in AskNicely, the system will automatically create their account with default or base-level permissions.
- The user will be assigned to the role preset.
-
Assign Roles in AskNicely
After the user is created, log into AskNicely as an Admin and go to Settings > Users. Edit the newly created user and assign the desired role and permissions.
Result
- Automatic account creation on first SSO login.
- Admin must manually assign or update roles in AskNicely after the user appears.
Option C: Users Provisioned Automatically with Location-Based Data Access
For organizations where user roles and location-based data access must be determined automatically, you can use advanced attribute mappings from Okta to pass role and location information directly to AskNicely.
Prerequisites
- Confirm with AskNicely Support that your plan supports SCIM or advanced JIT provisioning with role and location attributes.
- Determine which Okta attributes (e.g.,
department
,location
,groups
, or custom attributes) will map to AskNicely roles and locations. - You may need a predefined mapping schema from AskNicely (e.g.,
askNicelyGroup
andaskNicelyFilter_key
attribute names) to ensure these values can be interpreted correctly.
Steps
-
Configure Attribute Mappings in Okta
- Go to
Applications > AskNicely > Sign On
tab. - In the
Attribute Statements (Optional)
section, add following:- Name:
askNicelyGroup
Value:appuser.askNicelyGroup
- Name:
askNicelyFilter.key
Value:appuser.askNicelyFilter_key
- Name:
askNicelyFilter.value
Value:appuser.askNicelyFilter_value
- Name:
- Go to
-
Configure App Attributes in Okta
Under
Directory -> Profile editor -> AskNicely
, add the same three attributes from above, making sure to select- Attribute Type: Group - for askNicelyGroup and askNicelyFilter_key
- Attribute Type: Person - for askNicelyFilter_value
-
Configure App Mappings in Okta.
Select the values to submit to AskNicely. This needs to be the Name of the User Role in AskNicely as well as the name (key) and value of the custom field that has been set up as the user level filter.
You can specify a default value for the mappings (these can be overwritten when assigning Groups or Users to the App. You can also use an existing value from the users profile.
-
Assign Users and Group in Okta to Application and Test
Assign a test user in Okta with a known role and location attribute. When the user logs into AskNicely for the first time:
- AskNicely creates the user automatically.
- The user’s role is assigned based on the
askNicelyGroup
attribute received. - The user’s data access is restricted based on the
askNicelyFilter_key
attribute.
-
Validate and Adjust
Log into AskNicely and confirm the newly created user’s role and location-based permissions reflect the values set in Okta. Adjust attribute mappings as needed.
Result
- Users are created automatically on first login.
- Roles and location-based access are automatically assigned according to attributes passed from Okta, reducing manual administration.
Troubleshooting Tips
-
User Not Found or Not Created
Check that the user is assigned to the AskNicely app in Okta and that their email attribute matches what AskNicely expects.
-
Incorrect Roles or No Role Assigned
Verify the attribute names and values in the Okta Attribute Statements. Confirm the schema matches what AskNicely supports.
-
Metadata or SAML Errors
Ensure you’ve used the correct ACS URL and Audience URI. Double-check that you provided the correct IdP metadata to AskNicely.
Conclusion
By following the steps above, you can integrate AskNicely with Okta using SAML SSO and tailor user provisioning to your organization’s needs. Whether you prefer no automatic provisioning, partial automation with manual role assignment, or full automation including location-based data access, these configurations help streamline user management and enhance security. For further assistance, contact AskNicely Support.