Okta SSO (IdP‑Initiated)
This guide covers the IdP-initiated flow, where users begin in Okta (the IdP) and select the GroWrk icon from their Okta dashboard.
Supported Features
- IdP-initiated SSO (through third-party initiated login)
Prerequisites
Before you begin, ensure:
- You have administrator access to your Okta tenant (so you can add the GroWrk SSO apps from the OIN).
- You have administrator access to your GroWrk dashboard, with the Integrations feature enabled. (Contact your Customer Success Manager if you do not see Integrations in your dashboard.)
- The email address used in Okta matches the email address of your users in GroWrk.
What is IdP‑Initiated SSO?
- IdP‑Initiated Flow: The user logs in to Okta first. From the My Apps screen (Okta dashboard), they click the GroWrk icon. Okta sends a SAML response directly to GroWrk (no AuthnRequest from GroWrk).
- Result: The user lands in GroWrk already authenticated.
Connect Okta to GroWrk
- In the Integrations tab in your GroWrk Dashboard, search for Okta SSO and select Get Started.
You’ll be directed to the setup page with several steps.
- Add GroWrk to Okta.
- Login to Okta. Navigate to the Application tab.
- Click on Browse App Catalog and search for Growrk (IdP) application.
- Click on Add Integration.
- Set your general settings (application label, visibility, etc.) and select Next.
- On the sign-on options page, you can review the SAML 2.0 configuration. You can also find your metadata URL here, which you’ll need in GroWrk. Select Done when finished.
- Back in GroWrk, add your authorized domains.
- Copy and paste the metadata URL into GroWrk.
- In your Okta admin console, go to the GroWrk application, then Sign On. Scroll down to find the Identity Provider metadata link. Copy this link.
- Go back to GroWrk, paste it, and select Set up.
- You’ll be notified that Okta SSO has been set up.
- Your certificate information will be displayed with the start and end dates of its validity. If you’ve changed the SAML Signing Certificate or activated a new one, enter the metadata URL and select Set up again to update it.
Logging in via IdP‑Initiated Flow
If you have configured GroWrk (IdP) in Okta, users can access GroWrk directly from the Okta dashboard:
- In the My Apps tab in Okta, select GroWrk (IdP).
- Enter the code provided by the Okta Verify app (if MFA is required) and select Verify.
- You will sign in and be navigated to the GroWrk Dashboard.
Troubleshooting
Common Issues
- Invalid SAML Response
- Check that the metadata URL you copied from Okta is correct and that your ACS URLs and Audience match in GroWrk.
- User Email Mismatch
- Ensure the user’s Okta profile email matches the email they use in GroWrk.
- Access Denied / Not Assigned
- Verify the user is assigned to the GroWrk app in Okta.
- Okta Verify Setup
- If a user is stuck setting up Okta Verify, confirm your MFA policies in Okta Admin.
Checking Okta Logs
If issues persist, check Okta System Logs under Reports > System Log in Okta for detailed error messages.
Contact Support
If you still have trouble, please contact GroWrk Support or your Customer Success Manager. Provide:
- A screenshot of your Okta configuration
- The exact error message
- The user’s email address
- Approximate timestamp of the failed login attempt
For further assistance or additional configuration questions, please reach out to us at support@growrk.com.