Single Sign-on (SSO) integrations are a coordinated effort between Trajectory IQ and your organization. The following serves as a general guideline to set up your end of a SAML integration for any SAML-compatible Identity Provider (IdP). It also outlines the information that you need to provide Trajectory IQ.
For the complete OKTA SAML specifications, please visit: http://developer.okta.com/standards/SAML/.
Step 1 - SAML SSO Basic Requirements
We need the following items to get started:
- IdP Issuer URI. This is defined as the issue URI of the IdP.
- IdP Single Sign-On URL. Often serves as both the Login URL and the Logout URL.
- IdP Signature Certificate. SAML X.509 PEM-encoded Signing Certificate.
- Request Signature Algorithm*
- Response Signature Algorithm. Often the same as the Request Signature Algorithm.
- Destination (could be the same as IdP Single Sign-On URL)
❗️*Note: OKTA does not support unsigned assertions.
Step 2 - Metadata step
This is provided by Trajectory IQ as defined by Okta in a separate email* when Step 1 is complete.
After Step 1 is complete, Trajectory IQ will take that information, configure the integration on our end and then provide you with the following values:
- Assertion Consumer Service URL
- Audience URI
- Signing Certificate (optional)*
❗️*Note: You may or may not need a signing certificate, and this depends on your requirement for encrypted assertions. This is determined on a project-by-project basis. OKTA prefers signatures to use SHA-256.
These values will be required by the SAML configuration on your end and will need to be added prior to continuing any further.
Step 3 - Setting up the User - Assertion Attributes and Signatures
Once Step 2 is complete, tell us if any field mappings should be created. At least one field mapping is typically created to better link the user in Okta to your IdP.
Here are some examples:
- An identifier that uniquely identifies the user on your system (employee id, email, etc.) that you'd like to show up in reporting on our end.
- A display name, such as the user's first name. Trajectory IQ will use this for system messages, like "Hello Mary. Welcome back!”.
Provide Trajectory IQ with with any fields that are specific or custom to your IdP that we should map in our system that will be sent with the SAML assertion from your system.
Step 4 - Module Access
All Trajectory modules are accessed by your users via:
- A Trajectory IQ designed landing page, or
- Your organization's own landing page (often a page within your Learning Management System/LMS). In the case of SSO integrations, this is the more likely scenario.
Trajectory IQ will provide you with a link that should be used to access either the landing page or the learning module(s) directly.
Frequently Asked Questions
Where do I get the landing page graphics?
- If you are using your own landing page, embed the link provided from Step 4 on it and then click it. If you are logged in to your system already, clicking the link should provide direct access to our learning module without having to log in again.
- If you are using a landing page provided by Trajectory IQ, you will access that page first, followed by clicking on one of the module links that are displayed. Visiting either the landing page or clicking a module link should provide direct access without having to log in again.