How to configure SAML 2.0 SSO with Okta as iDP in Clinch Talent
Go to the new Clinch Talent SAML app and open a new browser tab with the “SAML2.0 Setup Instructions” to keep handy. We’ll be referring to the info available in that page through out these instructions.
This page will include the SSO URL, iDP issuer and X509 Certificate.
First, make sure that there is a new Attribute Type in the Universal Directory within Okta. This will be used to give roles to Clinch Talent to the correct staff members.
1. Go to Directory -> Profile Editor.
2. Within the Okta User (first in list). Click Edit Profile.
3. Click Add Attribute and set it up with:
- Display Name: ClinchTalent Roles (or whatever you prefers)
- Variable name: clinchtalent_roles (note, the “user.” prefix will be added by Okta after save)
- Description: ClinchTalent Roles (or whatever you prefer)
- Data type: string_array
- Attribute required: unchecked
- User permission: Read Only (its default)
4. Next, go to Okta's directory entry for the person who is attempting to log in.
5. Edit their profile and add a new Clinch Talent Role to their profile. For testing purposes, you can add “admin” as a single entry. Later when assigning permissions you can give any of the following values:
Note: You will also need to make sure that the ClinchTalent SAML app is assigned to the user within Okta so that it appears in their application list.
Now you have correctly provisioned a user.
6. Next, go to the Edit SAML integration.
7. Set the Single sign on URL to: https://clinchtalent.eu/companies/1227fb02e0dd02528a22/saml2/consume
8. Set the Audience URI to be: The value of the Identity Provider Issuer ( iDP issuer ) from the open setup instructions tab you opened up earlier.
9. In the Attribute Statements, add the following mappings:
This will allow the correct elements of the user in Okta Universal Directory to be sent over to ClinchTalent as part of the request.
Note image below is our test accounts — so url’s will be different — included here for example:
Log into (using password admin account) Clinch Talent.
10. Go to Settings -> Company -> SAML 2.0 - Users section.
11. You’ll now see that the Assertion Consumer Service URL is pre-filled: you have already set this in Okta in a previous step.
12. Set the SP Entity ID (Issuer) and the iDP Entity ID to be the same values as the value of the Identity Provider Issuer ( iDP issuer ) from the open setup instructions tab you opened up earlier. They will match the Audience URI that you set in step #8 in Okta earlier.
13. Set the iDP SSO Target URL to be equal to the “Identity Provider Single Sign-on URL” from the open setup instructions tab you opened up earlier.
14. Set the iDP Certificate to be equal to the value of the “X.509 Certificate” from the open setup instructions tab you opened up earlier.
15. Click (enable) “Enable provisioning of users from iDP”
16. Click (enable) “Enable syncing user roles/permissions from iDP”
And that's it! With all of the above in place, SSO should now work.
Note: Only users that have roles granted in Okta Universal Directory will be able to actually log into Clinch Talent. So even if you assign the SAML app to a user, they still will need to be granted specific roles to gain access.