This article describes features exclusive to our app in Okta. For information about SSO via SAML see this article and for SCIM see this article.

Click here to skip to the Step-by-step instructions for SAML or SCIM

Requirements

Ensure that you have the following before you start configuring the Okta app:

  • Get the user provisioning functionality for your Okta account. See Lifecycle Management for more details.

  • An Okta account with admin privileges

  • An AlexisHR account with Owner permission set

  • Make sure your account plan in AlexisHR allows you to use SSO & SCIM

Supported Features

SAML

  • IdP-initiated SSO

  • SP-initiated SSO (see note)

Note: SP-initiated SSO requires help from AlexisHR's Customer Success/Support.

SCIM

  • Import Users

  • Profile Sourcing

Step­ by­Step Configuration Instructions for SAML

Step 1 - Get info about SAML from Okta

From Okta retrieve Identity Provider Single Sign-On URL and your X.509 Certificate.

Step 2 - SAML Single sign-on in AlexisHR

Add this information into Alexis via Settings -> SAML Single sign-on. Click "New identity provider". In Identity provider sign out URL you can enter the following (change [YOUR_TENANT] to your tenant):

https://[YOUR_TENANT].okta.com/login/signout?fromURI=https://app.alexishr.com

Click Create identity provider and you'll be taken to the next screen.

Step 3 - Retrieve info from AlexisHR

You need to copy the Audience URI and Assertion Consumer Service URL and save for the next step.

If you want to test on app.sandbox.alexishr.com

To enable testing in our sandbox environment you need to enter Domain and Tenant when setting up Okta. See Step 4 "Domain" and "Tenant" for details.

Pictured: There are environment variables in the Audience URI and ACS URL

Step 4 - Setting up SSO in Okta

General settings - Set the required fields as follows

  • Domain: alexishr for production and sandbox.alexishr for sandbox

  • Tenant: alexishr for production and alexishr-sandbox for sandbox

  • Single sign-on URL: should be value Assertion Consumer Service URL copied from Alexis, see step 3

  • Audience URI (SP entity ID): should be value from Audience URI copied from AlexisHR, see step 3

  • Name ID format: Email or Unspecified

  • Application username: should be set to Okta username

  • Update application username on: should be set to Create and update

Attribute statements - Set the required fields as follows

  • Name: email

  • Name format: Email or Unspecified

  • Value: user.email

This concludes the settings needed for SAML SSO

Step­ by­Step Configuration Instructions for SCIM

Step 1 - API Access Token

To get started you need to create an OAuth Bearer Token to access AlexisHR API. This is done via Settings -> Access tokens. When creating the token it will only be shown once, so make sure you copy & keep it safe.

Give your token an easily identifiable name and, if needed, a description

Step 2 - Configure Okta

Set the required fields as follows:

Domain:
For production (app.alexishr.com):

alexishr


or

For our sandbox environment (app.sandbox.alexishr.com):

sandbox.alexishr

OAuth Bearer Token add the token from step 5 here

Schedule import should be set to the prefered interval, we recommend every 1 hour or less.

Okta username format should be set to Email Address.

Imported user is an exact match to Okta user if should be set to Email matches

Check Allow SCIM 2.0 AlexisHR app to source Okta users for Profile Sourcing to be enabled (recommended). This makes AlexisHR the source for updates on user and sets the app to read only.

Note: Make sure the Application Username Format in the tab Sign on is set to Email!


Step 3 - Okta Attribute Mappings

Under Okta Attribute Mappings you can remove any mappings you do not want or need. The values set up are all the recommended values. To see descriptions on our SCIM user attributes see our documentation here.

Troubleshooting and Tips

If you need any assistance contact AlexisHR support via the chat at AlexisHR

Did this answer your question?