Okta SSO
Supported Features
- SP-initiated SSO (Single Sign-On)
- IdP-initiated SSO (through third-party initiated login)
GroWrk now provides two Okta SSO integrations in the Okta Integration Network (OIN):
- GroWrk for SP-initiated flows.
- GroWrk (IdP) for IdP-initiated flows.
Prerequisites
Before you begin, ensure:
- You have administrator access to your Okta tenant (so you can add the GroWrk SSO apps from the OIN).
- You have administrator access to your GroWrk dashboard, with the Integrations feature enabled. (Contact your Customer Success Manager if you do not see Integrations in your dashboard.)
- The email address used in Okta matches the email address of your users in GroWrk.
Connect Okta to GroWrk
- In the Integrations tab in your GroWrk Dashboard, search for Okta SSO and select Get Started.
You’ll be directed to the setup page with several steps. - Add GroWrk to Okta.
a. Select Go to Okta and you’ll be redirected to Okta’s website.
b. In Okta, search the Okta Integration Network for “GroWrk” and “GroWrk (IdP)”.
Tip: You only need to add the integration(s) you plan to use.
- For SP-initiated logins (users start at GroWrk and click “Sign in with Okta”), add GroWrk.
- For IdP-initiated logins (users click a GroWrk icon in the Okta dashboard), add GroWrk (IdP).
c. When you open one of the GroWrk SSO apps in Okta, select Add Integration.
d. Set your general settings (application label, visibility, etc.) and select Next.
e. On the sign-on options page, you can review the SAML 2.0 configuration. You can also find your metadata URL here, which you’ll need in GroWrk. Select Done when finished. - Back in GroWrk, add your authorized domains.
- Copy and paste the metadata URL into GroWrk.
a. In your Okta admin console, go to the GroWrk application, then Sign On. Scroll down to find the Identity Provider metadata link. Copy this link.
b. Go back to GroWrk, paste it, and select Set up.
- You’ll be notified that Okta SSO has been set up.
SP-Initiated vs. IdP-Initiated SSO
SP-Initiated SSO (Using GroWrk)
- Flow: Users start on GroWrk (e.g., the Dashboard login page) and click “Sign in with Okta.” GroWrk sends a SAML AuthnRequest to Okta, and Okta returns a SAML response to GroWrk.
- Okta App: “GroWrk.”
- User Experience: They visit your GroWrk URL and click “Sign in with Okta.”
IdP-Initiated SSO (Using GroWrk (IdP))
- Flow: Users log in to Okta first. From the My Apps (Okta dashboard), they click the “GroWrk” icon. Okta sends a SAML response directly to GroWrk (no AuthnRequest needed).
- Okta App: “GroWrk (IdP).”
- User Experience: They see a GroWrk tile in Okta, click it, and land in GroWrk already authenticated.
Login with Okta SSO
Verify Account with Okta
When inviting new employees, they may use their Okta credentials to access their GroWrk Dashboards.
- The user is sent an email invite to their Dashboard. Once selecting Verify Account, the user is taken to a new page to set up their account.
- The user is asked to create a new password. They enter their corporate email and scroll down to select Sign up with OKTA.
- A new window opens with Okta’s sign in page. They enter their username and select Next.
- They enter their password and select Verify.
- They may be required to set up Okta Verify as a security method. They select Setup and follow the instructions. After completing the setup, they’ll be notified that their account was generated.
- The user fills out their additional information (name, contact, delivery address) and selects Save Changes and Continue.
- Finally, they have access to the GroWrk Dashboard. Whenever they sign in to GroWrk, they can select Sign in with OKTA.
Note: If a user does not sign up with Okta and creates a GroWrk password instead, they can still log in with their Okta credentials later on.
Login with IdP (GroWrk (IdP))
If you have configured GroWrk (IdP) in Okta, users can access GroWrk directly from the Okta dashboard:
- In the My Apps tab in Okta, select GroWrk (IdP).
- Enter the code provided by the Okta Verify app (if MFA is required) and select Verify.
- You will sign in and be navigated to the GroWrk Dashboard.
Troubleshooting
Common Issues
- Invalid SAML Response
- Check that the metadata URL you copied from Okta is correct and that your ACS URLs and Audience match in GroWrk.
- User Email Mismatch
- Ensure the user’s Okta profile email matches the email they use in GroWrk.
- Access Denied / Not Assigned
- Verify the user is assigned to the GroWrk app in Okta.
- Okta Verify Setup
- If a user is stuck setting up Okta Verify, confirm your MFA policies in Okta Admin.
Checking Okta Logs
If issues persist, check Okta System Logs under Reports > System Log in Okta for detailed error messages.
Contact Support
If you still have trouble, please contact GroWrk Support or your Customer Success Manager. Provide:
- A screenshot of your Okta configuration
- The exact error message
- The user’s email address
- Approximate timestamp of the failed login attempt
For further assistance or additional configuration questions, please reach out to us at support@growrk.com.