Single Sign-On: Okta

Moesif provides a single sign-on integration with Okta.

In order to set up SSO:

  • You must be able to configure Okta
  • You must be on an enterprise plan with SSO enabled

How SSO works

Moesif single sign-on implementation leverages Home Realm Discovery to select the correct tenant based on the email’s domain name. Once SSO is enabled, any employee logging in with your company’s domain will automatically be redirected to the single sign-on page. Team management and role-based access control is handled by your identity provider rather than within the Moesif application.

How to setup Okta with Moesif

Okta also has a guide available here

1. Go to Applications within the Okta admin dashboard

Click the Add Application button

Okta Active Applications

2. Search for Moesif and click Add

Search for Moesif Okta Application

3. Select the Sign On tab and then select the Edit button

Sign-on Settings

In the red box marked above box, enter your Moesif Okta company domain, which is your Okta domain with any . replaced with -

For example if you log into Okta at myorgname.okta.com, you should enter myorgname-okta-com into the corresponding field.

If you’re unsure, email your Moesif technical account manager or support@moesif.com

4. Select View Setup Instructions in the yellow box.

This will open up Okta’s set up instructions. Under step 2 Save, then attach the following Metadata file to your request, copy the the metadata URL. Email the URL to your Moesif account manager who will finish setting up SSO.

https://myorgname.okta.com/app/XXXXXXXXXXX/sso/saml/metadata

5. Add role field

While optional, to manage role-based access control for Moesif within your identity provider, you need to add a field role to the Moesif appuser.

Within the Okta admin portal, go to Directory -> Profile Editor, and select the Edit Profile button next to the newly created Moesif application.

Click on Add Attribute on the left side and add a field role as shown in below screenshot.

AppUser add role field

Checkbox Define enumerated list of values and add the three predefined roles supported by Moesif:

  • admin
  • member
  • read-only

If your Moesif subscription has any custom roles, you can also add their names to this list.

After SSO activated

Once SSO is enabled:

  • Team members will no longer be able to log in with a password or social account.
  • Password reset is disabled.
  • Administrators will no longer be able to add/remove team members within Moesif.
  • Role-based access control is synced from your identity provider and cannot be changed within Moesif.

Any employee logging in with your company’s domain will automatically be redirected to the single sign-on page where they can click log in. All team management and role-based access control actions is done through your identity provider. Moesif automatically syncs user accounts.

Disabling SSO

An organization can disable SSO at any time by contacting their technical account manager. Once disabled, existing team members who already had an account prior to SSO can log in with their password. New users who were provisioned through SSO can reset their password to log in.

Updated: