This article describes features exclusive to our app in Okta. For information about SSO via SAML see this article and for SCIM see this article.
Click here to skip to the Step-by-step instructions for SAML or SCIM
Ensure that you have the following before you start configuring the Okta app:
Get the user provisioning functionality for your Okta account. See Lifecycle Management for more details.
An Okta account with admin privileges
An AlexisHR account with Owner permission set
Make sure your account plan in AlexisHR allows you to use SSO & SCIM
SP-initiated SSO (see note)
Note: SP-initiated SSO requires help from AlexisHR's Customer Success/Support.
Step byStep Configuration Instructions for SAML
Step 1 - Get info about SAML from Okta
From Okta retrieve Identity Provider Single Sign-On URL and your X.509 Certificate.
Step 2 - SAML Single sign-on in AlexisHR
Add this information into Alexis via Settings -> SAML Single sign-on. Click "New identity provider". In Identity provider sign out URL you can enter the following (change [YOUR_TENANT] to your tenant):
Click Create identity provider and you'll be taken to the next screen.
Step 3 - Retrieve info from AlexisHR
You need to copy the Audience URI and Assertion Consumer Service URL and save for the next step.
If you want to test on app.sandbox.alexishr.com
To enable testing in our sandbox environment you need to enter Domain and Tenant when setting up Okta. See Step 4 "Domain" and "Tenant" for details.
Pictured: There are environment variables in the Audience URI and ACS URL
Step 4 - Setting up SSO in Okta
General settings - Set the required fields as follows
alexishrfor production and
alexishrfor production and
Single sign-on URL: should be value Assertion Consumer Service URL copied from Alexis, see step 3
Audience URI (SP entity ID): should be value from Audience URI copied from AlexisHR, see step 3
Name ID format:
Application username: should be set to Okta username
Update application username on: should be set to Create and update
Attribute statements - Set the required fields as follows
This concludes the settings needed for SAML SSO
Step byStep Configuration Instructions for SCIM
Step 1 - API Access Token
To get started you need to create an OAuth Bearer Token to access AlexisHR API. This is done via Settings -> Access tokens. When creating the token it will only be shown once, so make sure you copy & keep it safe.
Give your token an easily identifiable name and, if needed, a description
Step 2 - Configure Okta
Set the required fields as follows:
For production (app.alexishr.com):
For our sandbox environment (app.sandbox.alexishr.com):
OAuth Bearer Token add the token from step 5 here
Schedule import should be set to the prefered interval, we recommend every 1 hour or less.
Okta username format should be set to Email Address.
Imported user is an exact match to Okta user if should be set to Email matches
Check Allow SCIM 2.0 AlexisHR app to source Okta users for Profile Sourcing to be enabled (recommended). This makes AlexisHR the source for updates on user and sets the app to read only.
Note: Make sure the Application Username Format in the tab Sign on is set to Email!
Step 3 - Okta Attribute Mappings
Under Okta Attribute Mappings you can remove any mappings you do not want or need. The values set up are all the recommended values. To see descriptions on our SCIM user attributes see our documentation here.
Troubleshooting and Tips
If you need any assistance contact AlexisHR support via the chat at AlexisHR