How to Enable Okta Integration and Configure Provisioning for Teamable (for Okta Admins)

Follow

This guide provides the steps required to configure SSO and Provisioning for Teamable.


Features
The following provisioning features are supported:

  • Push New Users

New users created through OKTA will also be created in the third party application.

  • Push Profile Updates

Updates made to the user's profile through OKTA will be pushed to the third party application.

  • Push User Deactivation

Deactivating the user or disabling the user's access to the application through OKTA will deactivate the user in the third party application.

Note: Teamable does not support group provisioning. Users who already in Teamable will not be duplicated. 


Requirements 

To enable SSO and provisioning you need to have admin permission at Teamable.

 

Configuration Steps

 

Configure SSO settings for Teamable as follows:

SSO configuration


1. Go to the Okta Admin Panel, "Application" tab and click on "Add Application" button.

Screenshot__85_.png

2. Search "Teamable" and click on the "Add" button.

Screenshot__86_.png

3. The field "Your Teamable domain"  may be empty when provisioning has not activated. Otherwise, type in your Teamable domain and exclude 'https://'. Click "Done" to continue.

Screenshot__87_.png

4.  Go to the "Sign On" tab to view the setup instructions.

Screenshot__88_.png

5. Copy the IDP Metadata URL and go to Teamable.

Screenshot__89_.png 

6. Only Admins at Teamable can generate the token and set up SSO. To do that go to https://yourcompany.teamable.me. 

Screenshot__53_.png

7.  Go to the Admin Panel>SSO Configuration and select Okta.

Screenshot__91_.png

8.  (1) Paste the "IDP Metadata URL" that you've copied from Okta. (2)  Update the copied URL as follows: add 'teamable/' after '...app/...' and remove '/metadata' and fill that new URL in 'Okta Login URL'. For example, if we have https://teamable.oktapreview.com/app/exkfz4vv1wcAzKfZu0h7/sso/saml/metadata then it will be https://teamable.oktapreview.com/app/teamable/exkfz4vv1wcAzKfZu0h7/sso/saml. (3)Don't forget to save your SSO settings.

If you don't want to enable provisioning then you can save the changes and then manually assign to users in the Teamable users section of the Admin Panel. Otherwise, continue the following configuration steps.

 

Screen_Shot_2018-09-18_at_1.35.59_PM.png

 

Provisioning configuration

1.To enable provisioning and generate Teamable's API token, go to the Teamable "SSO Configuration" tab and (1) click the "Generate Key" button, (2) Click the copy button and (3) Click "Save".

Screen_Shot_2018-09-18_at_1.36.59_PM.png

2. In your Okta account, go to Teamable>Provisioning>API Integration and click on "Configure API Integration" button. 

Screen_Shot_2018-09-18_at_1.37.31_PM.png 
3.Check "Enable API integration".Screen_Shot_2018-09-18_at_1.37.56_PM.png

4. Fill in the API Token field with the copied token (key). Then click on "Test API Credentials". 
 
5. If the verification is successful, you will see the pop-up message: "Teamable was verified successfully!" Click "Save". Otherwise, contact Teamable support at support@teamable.com.

Screen_Shot_2018-09-18_at_1.38.33_PM.png


6.Teamable only supports "from Okta to Teamable" integration, so go Provisioning > To App, click "Edit", and enable the following settings: "Create Users", "Update User Attributes", "Deactivate Users" and click on the "Save" button.


Screen_Shot_2018-09-18_at_1.38.52_PM.png 


7. After finishing the above steps, go to the "Assignments" tab and assign users to Teamable.
Screen_Shot_2018-09-18_at_1.39.33_PM.png

SSO

After the SSO configuration, the application must be assigned to a user. Only after that, can a user sign in to Teamable. There are two ways to do so.

All users must have at least First Name, Last Name and Email fields(email field must be filled by email addresses,on numbers or IDs).

Assigning to a single user.

1. Go to the Teamable application under the "Assignments" tab, click Assign>Assign to People.

Screen_Shot_2018-09-18_at_1.41.59_PM.png

2. In the popup, (1) search the user name,(2) click "Assign", then(3) "Save and Go Back" and (4) when you have finished, click "Done".

Screen_Shot_2018-09-18_at_1.42.24_PM.png

Note: The user can sign in to Teamable even if they are not provisioned yet. For more info about provisioning read this.

Assigning to a group of users.

1.  Create a Group for Teamable and assign only that Group to the Teamable application. Go to Directory>Groups

 

Screen_Shot_2018-09-18_at_1.42.57_PM.png

2. Click to "Add Group".

Screen_Shot_2018-09-18_at_1.43.21_PM.png

3. Type in a name and description to that group and click "Add Group".

Screen_Shot_2018-09-18_at_1.43.37_PM.png

4. Click on the group name to edit the group.

Screen_Shot_2018-09-18_at_1.44.02_PM.png

5. Add members to that group to assign them to the Teamable application.

Screen_Shot_2018-09-18_at_1.44.21_PM.png

6.  (1) Search for the member, (2) Click "Add", and then (3)when you have finished, click "Done".

Screen_Shot_2018-09-18_at_1.44.40_PM.png

7. Assign a Teamable application to that group.

 


Screen_Shot_2018-09-18_at_1.45.26_PM.png

7'. You can do it also from the application settings. Go to Assignments>Assign>Assign To Groups.

Screen_Shot_2018-09-18_at_1.46.02_PM.png


(1) Search for the group by name,(2) assign Teamable to that group,(3) be careful with departments, (4)when you have finished, click "Done".

Screen_Shot_2018-09-18_at_1.46.30_PM.png

8. Enter the departments and locations.

Screen_Shot_2018-09-18_at_1.46.50_PM.png

9. Also, make sure that "Everyone" group is not assigned to Teamable application. Remove, if it is assigned.

Screen_Shot_2018-09-18_at_1.47.10_PM.png

Note: The user can sign in to Teamable even if they are not provisioned yet. For more info about provisioning read this.

Provisioning

To provision users from Okta to Teamable, you just need to assign them to the application. In Okta, all requests are sent immediately.

If for some reason the user provisioning has failed(i.e. the token wasn't updated), you will see an error message. 

Screen_Shot_2018-09-18_at_1.47.33_PM.png

!Okta will try to send request periodically. If the issue is fixed then the red sign will disappear.

You can also create/update/delete requests manually. 

1. To resend requests go to  Dashboard>Tasks.

Screen_Shot_2018-09-18_at_1.47.54_PM.png

2. You can search the user task that failed or you can change and filter task that is only related to the Teamable application. 

Screen_Shot_2018-09-18_at_1.48.19_PM.png

3. Search the Teamable application to resend all tasks. In this case, our current application is Teamable(6). Click the "Filter" button.

Screen_Shot_2018-09-18_at_1.50.35_PM.png

4. Failures have a red sign. Click on the task to resend requests.

Screen_Shot_2018-09-18_at_1.54.09_PM.png

5. You can check one failed or all failed requests and click "Retry Selected".

Screen_Shot_2018-09-18_at_1.54.30_PM.png

If after refreshing the page the failed task appears again, the issue has not been fixed yet. To see the error message, click on the task. Send that message to Teamable support at support@teamable.com.

Screen_Shot_2018-09-18_at_1.54.47_PM.png

 

 

Create user

We provision the following fields: first name, last name, email, and department ("title" and "location" will be provisioned in the future). Users who are provisioned but haven't logged in to Teamable are marked as "New", otherwise they will be marked as "Active". If the user department doesn't exist at Teamable, it will be created. If the user doesn't have a department in Okta will be asigned to "Other" department in Teamable.

Update user

After updating any of the fields from the mapping of the Teamable application, Okta sends an update request to Teamable.

De-provisioning

In Okta, there are two cases of user de-provisioning from Teamable.

  • disabling the user's or group's of users access to the application,
  • deactivating the user.

Disabling the user's access to the Teamable application at Okta

There are also two ways to disable a user's access from the application. 

1. Disabling a single user's access.

Go to Teamable>Assignments and remove a user from users list. The assignment of a user must have the type "Individual". That is the user who is assigned manually.

Screen_Shot_2018-09-18_at_1.55.12_PM.png 

If a user is assigned through Group and has the 'Group' type of assignment, you can't disable their access manually. You must disable them from the group.  If you disable the user's access to the Group, they will be disabled from all application that is assigned to that Group. To do that, go to Directory>Groups, find the necessary group and click on it. Find the user that you want to de-provision and delete as follows.

 

Screen_Shot_2018-09-18_at_1.59.04_PM.png

2. Disabling access of a group of users from the Teamable application. Go Assignments>Groups, find the group you want to disable then remove as follows.

Screen_Shot_2018-09-18_at_1.59.29_PM.png


Screen_Shot_2018-09-18_at_1.59.48_PM.png

Also, you can disable the application from the Group settings. Go to Directory>Groups>Apps and remove the application.

 

Screen_Shot_2018-09-18_at_2.00.28_PM.png

 

Troubleshooting Tips

  • Users without Email or/and First Name or/and Last Name in their Okta profiles cannot be imported to Teamable as new users.
  • Users which deactivated from Okta can not be reactivated in Teamable.

Additional questions? Contact support@teamable.com.

 
Was this article helpful?
0 out of 0 found this helpful

Comments