Skip to main content
All CollectionsGetting started as a Planhat AdminGive your team the right access and help them get started!
SSO: Setting up Okta
SSO: Setting up Okta
Christian Dreyer avatar
Written by Christian Dreyer
Updated over 10 months ago

Setting up Okta integration requires Admin Access in both Okta and Planhat. Both apps will require input from the other. Integration is made more accessible with Planhat being part of the Okta Integration Network (OIN).

Settup in Okta integration is divided into two parts;

  1. Integrating Planhat with Okta Account

  2. Inputting parameters across systems

  3. Finalizing SSO Settings

Preparing Okta Account

Before you begin it is important to note that the administrator running this task must be a super admin for the Okta org and the admin must be signed in to the Okta Admin Console.

After the app integration is added to the Okta org, app admins can configure and assign the app integration to the appropriate users and groups.

Integrating Planhat

To add an existing app integration to your org:

  1. In the Admin Console, go to Applications

  2. Click Browse App Catalog and Search for Planhat in the Search bar and click on Planhat

  3. Click Add Integration on the details page

  4. Click Done

Input parameters across systems

To set up the SSO connection, there are some values in Planhat you need to input to Okta, and vice versa. Below we will walk through the required parameters, and the Planhat/Azure defines where the value should be input.

Inputs into Okta

  1. Log in to Okta administrator account, navigate to Applications > Sign On

  2. Click Edit

  3. Scroll down to Advanced Sign-on Settings

  4. Input the following values;

    1. Planhat: Audience URI (SP Entity ID)

      This is inputted on Planhat's side in the Security module. This you can find in the Instructions under Single Sign-on > Security on Planhat's side. But the general rule is:

      https://api-[cluster].planhat.com/samlmetadata/[tenant_name]

    2. Planhat: Single Sign On URL (Called SSO URL in Okta)

Inputs into Planhat

  1. Login to Planhat as an Administrator

  2. Click on your account, then select Security

  3. Select Single Sign-On

  4. Toggle the enable switch to ON

  5. Input the following;

    1. Okta Issuer (called Audience URI (SP Entity ID) in Planhat) copy and paste value;

    2. Okta Sign-on URL - copy and paste value into Planhat;

    3. Okta Signing Certificate (Called X.509 Certificate in Planhat) - copy and paste value into Planhat

Planhat: Logout URL

The next input will be found in your Okta app under Identity Provider Metadata. Copy and paste this value into Planhat in the Security module.

Finalizing SSO Settings

There are several other important settings that must be set up in Planhat to have a successful SOO integration with Okta.

Planhat: Initiator - required

This controls whether users should be able to log-in via IdP-initiated flow only (ie, only log in via Okta Directory), or also SP-initiated (ie, via Planhat's website). It's purely a setting, requiring no other input than a decision from your end on what works best. We recommend to use both (IdP + SP).

Maximum session length (days) - required

This setting is used to dictate the number of days the user is logged on at a time. Once the time limit is reached the User will be signed out automatically and will have to sign via SSO again.

Time-based log-out

This is an optional setting that logs users out at a certain time. This time is based on the user's most recent recorded timezone. If the user hits the session length before the time-based log-out, they will also be logged out.

Redirect to this URL after session expires

This is the URL that the user will be redirected to once either the maximum session length or time-based log-out criteria are met.

Users that are allowed to use username&password or "Sign in with Google" when SSO is turned on

This setting allows users to continue to use their username and password instead of the "Sign in with Google" SSO option.

Disable SAML AuthnContext

When enabled do not request a specific authentication context allowing the SSO Provider to make its own decision.

Did this answer your question?