SSO integration guide
⚠️ Access to the SSO configuration requires specific permissions (company manager rights in Javelo).
In order to configure SSO, you need to follow these steps:
Go to "Settings" (⚙️ icon) in the upper right corner of your Javelo account.
Select “SSO” from the navigation menu under the Company section.
Here you have all available SSO integrations, and more specifically Okta:
Find Okta panel and click "Configure" to open the configuration modal:
Configuration order
Define the provider value on Javelo modal configuration
Start the configuration of Identity provider on Okta side
Use technical informations at the bottom of Javelo modal configuration to fill mandatory information in Okta
Ensure the attribute mapping in Javelo and Okta side matches
Finish the Javelo SAML V2 service provider by setting the identity provider entity ID and metadata URL you will get in Okta.
Assign the user to the app in Okta.
Test the metadata URL with the button on Javelo modal configuration
Enable Okta SSO on Javelo
(Optional) activate SAML encryption
Test the connection with “test mode”
Configuration of Javelo Service Provider
Here is a description for the configuration of your SAML service provider on Javelo. Please follow the instruction below. You will be then able to get any information you need to configure the Identity provider.
Provider
As stipulated here above, the first step of the SSO configuration is to choose the name of Provider.
Javelo generates unique dedicated endpoints for your identity provider integration.
The name you will chose will be the base for these endpoints. Please ensure it only contains letters, number, underscore or hyphen. Ex:
my-company_1 ✅
@my#organization_ ❌
⚠️ You should fill this value first, because some Identity provider configuration element are dependent.
Entity ID
Once you have completed the configuration on Okta, you can proceed with filling the value of Entity ID of the Identity provider.
It is required when Javelo will fetch metadata to select the appropriate settings. It should be the identifier of Identity Provider on Okta, not `https://api.teamrise.io`.
Metadata URL
Once you have completed the configuration on Okta, you can proceed with filling the value of Metadata URL of the identity provider on Javelo.
Javelo relies highly on identity provider metadata to configure the services provider. These metadata are frequently automatically refreshed.
A valid URL is mandatory. The format of the provided URL is automatically tested by the form. A red message will appear below the field to inform you if the url is invalid.
💡 Here below you will find a detailed explanation on where to retrieve the correct values for Entity ID and Metadata URL on Okta.
Requests attributes
👉🏻 Three pieces of information are required during a SAML authentication process on Javelo:
The user email
The user first name
The user last name
Users may be created through SAML, and this is the very minimal payload that may be used in that purposed.
These elements must appear as an Attribute elements of the assertion request. For example:
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>DUPOND</AttributeValue>
</Attribute>
Here is the configuration of this attributes for Javelo:
Options
Force usage
The Force usage parameter will change the behaviour of the authentication process. If chosen, users are directly redirected to the SSO authentication page once the company is selected (through it’s subdomain or an email).
❗ Beware to use this option only if you are certain that all users are allowed to use your SSO.
Test mode
This option allows to setup the SSO configuration without any impact on the authentication process. Users will not be exposed to SAML V2 authentication, but it is available on a single, specific URL:
https://${SUBDOMAIN}.javelo.io/auth/login?provider=${PROVIDER} , see below to find that information.
You will be able to try your configuration, and make corrections if required.
We recommend using this option for the first configuration of your SSO. Once you have made sure your SSO is correctly configured, you can deactivate the Test mode by deselecting this option.
This option allows to enable/disable the creation of new users from a connection done via SSO.
If the user does not already exist, it is created.
We recommend disabling this option if you are also using a synchronization in order to avoid creation of unwanted accounts or duplicates with different email addresses linked to the same user.
Configuration of Identity provider
Here is the information you may need to configure the SAML V2 identity provider, and what you may need to test.
Javelo Callback URL : SAML Assertion service provider endpoint
Javelo Entity ID : service provider entity ID
Javelo Metadata URL : service provider metadata endpoint
Javelo Test URL : link to access The SAML identity provider in test mode
Okta identity provider
Okta SAML 2.0 app setup
1. Go to Okta.
2. On the sidebar, click Applications
3. Choose SAML 2.0, and click Next.
4. Give your SAML Okta app a name:
You can also add a logo if want.
5. Click Next to go to step 2 "Configure SAML":
Fill Single sign on URL field with Javelo Callback URL.
Fill Audience URI field with Javelo Entity ID.
6. Define SAML attribute statements like this:
This must match the information displayed here. ⚠️ Names are case sensitive.
Information for Javelo service provider
Go to your Okta application page, on the Sign On tab.
There, you'll see the yellow callout. Click the Identity Provider metadata link. It will open a new tab with your Okta SAML App metadata.
Okta user assignment
Go to the Assignments tab of your SAML app. Click Assign, then Assign to People.
Then, choose your users, and click Done.
SAML Assertion Encryption
All SAML messages exchanged between the IDP and the Service Provider are encrypted. If you wish to activate this behaviour, follow these instructions.
Update your Okta SAML app settings
In your Okta SAML app General tab, Edit SAML settings, reveal Advanced settings, and activate encryption as follow:
For the Assertion Encryption field, choose Encrypted
Then upload your certificate.crt file.
Go through the configuration wizard.
Metadata refresh
Once created, you may manually the refresh of identity provider metadata on Javelo service provider. It is really useful if you make some change on identity provider certificate for instance.
Important information
There are few points to keep in mind with Saml V2 SSO integration on Javelo:
The SSO is mono-tenant
An SSO configuration may only be used to authenticate users for the same Javelo organization. If you have many organizations on the Javelo platform, you should have distinct SSO configurations for each.
There is one SSO configuration allowed per organization
Javelo doesn’t support for the moment more than one Saml V2 SSO configuration per organization.
Troubleshooting FAQ
email not found in request
This error means the attribute configuration in Service provider is not correct for email.
“Email” attribute is missing in the SAML assertion request.
name not found in request
This error means the attribute configuration in Service provider is not correct for the first name.
“Name” attribute is missing in the SAML assertion request.
last_name not found in request
This error means the attribute configuration is not correct for the last name. “Last name” attribute is missing in the SAML assertion request.
your account has been deactivated
The user has been deactivated on Javelo. Authentication is impossible.
Lexicon
Identity provider ⇒ The tool or service you use (KeyCloak for instance)
Service provider ⇒ SAML V2 Javelo side
Assertion request ⇒ http request from the identity provider to Javelo service provider sent after a successful authentication. It contains all attributes of an authenticated user.