Skip to main content
All CollectionsAdministrative guides
Implementing SSO and User Provisioning
Implementing SSO and User Provisioning

Using an Identity Provider such as Azure AD or OKTA to provide Single Sign On (SSO) or User Provisioning using SCIM

Updated over 3 months ago

This guide describes how to setup and configure Single Sign On (SSO) and User Provisioning from a variety of Identity Providers.

System prerequisites

  • Identity provider that supports SAML for Single-Sign-On a

  • Identity provider that supports S SCIM for User Provisioning

Permission prerequisites

Supported identity providers

The following Identity Providers have been tested against:

SCIM (User Provisioning)

  • Azure AD

  • OKTA

SAML (SSO)

  • Azure AD

  • Google

  • OKTA

  • OneLogin

Open relevant sections below to learn how to set up user provisioning and SSO for different providers

Configuring User Provisioning with Azure Active Directory

Prerequisites

  • Azure AD Premium

  • Elements added as an application to Active Directory. See this article to configure and setup Elements as an application and SAML for SSO.

  • an Elements Corporate Management with at least one connected domain

  • an Elements account which has the right to administer the Corporate Management environment

Steps to enable SCIM

1. Open the list of Enterprise applications in Azure Active Directory and select the Elements application (it will have whatever name was given to it when it was setup).

2. Select the Provisioning menu option

3. Open the Elements Corporate Management application and select the Config page and Provisioning tab. The URL and key required for the following section are displayed.

4. In the Azure AD provisioning page, enter the following

In the Tenant URL field enter the the Base URL from the Elements provisioning page

In the Secret Token field enter the Token value from the Elements provisioning page

Click the Test Connection button to check that Azure AD can connect to Elements

5. Setup the synchronization settings

Turn provisioning on.

6. Assign Users to the Elements application

Configuring User Provisioning with Okta


Prerequisites

  • You have a Corporate Management set up within the Elements.cloud application. Contact success@elements.cloud to set up Corporate Management.

  • You are the Corporate Management Admin.

  • At least one domain has been verified.

Features

Invited User Administration is supported for the Elements application.

This enables OKTA to:

  • update user profiles for users who are in an invited state in Elements (including those who have not accepted invitations); and

  • move a user who has not accepted an invitation and make their account active.

The following provisioning features are supported:

  • Push New Users

  • New users created through OKTA will also be created in the Elements application.

TIP users created in OKTA who have an email that is not part of a verified domain in the Elements Enterprise will not be added to the Elements environment.

  • Push Profile Updates

  • Updates made to the user's profile through OKTA will be pushed to the Elements application.

TIP only users with an email whose domain is verified in the Elements Enterprise will be updated in Elements.

  • Push User Deactivation

  • Deactivating the user or disabling the user's access to the application through OKTA will block the user in the Elements application.

Known Issues

  • If the user email is changed in OKTA (but not the username), it will not update the email of the user in Elements. The user is still connected and authentication will still work, but all notifications in Elements will still be sent to the original email address

  • If the username changes in OKTA, this will result in a new user account being created in Elements with the email. If a user account in Elements already exists with this email, then it merges the new OKTA user with the existing Elements account

Configuration Steps

Configure your Provisioning setting for Elements as follows:

  1. In the Enterprise Management app in Elements, go to the "Config" page from the right menu and select the "Provisioning" tab.

2. Select OKTA from the Identity Provider dropdown - this is the default. This will then show the SCIM Base URL and the API token required by OKTA.

3. Return to OKTA and log in as an Administrator. In the Admin area, go to the Applications menu and click on the Elements.cloud application.
Go to the Provisioning tab -> To App.

4. Scroll down until you see the Elements.cloud Attribute Mappings. Click on Go to Profile Editor.

5. In the Profile Editor, click on Map Attributes.

6. In the mappings page, click on the Okta to Elements.cloud tab. For the userName attribute, click on Override with mapping. Map the userName to user.login and make sure to choose the Apply mapping on user create only option.

7. Go to the Provision tab -> API Integration

  • Enable API integration checkbox and entry of the token from Elements.
    The token can be tested using the API credentials with the Test API Credentials button.

  • Then click Save.

8. Done.

Configuring SAML for Azure AD

Prerequisites

  • Azure AD Premium

  • an Elements Corporate IT Management with at least one connected domain

  • an Elements account which has the right to administer the Corporate IT Management environment

Steps to enable SAML

Open the Azure Portal, select Azure Active Directory and:

1. From the Enterprise applications, select New Application

2. Select a Non-gallery application

3. Provide a Suitable name e.g. Elements

4. From the Application Manage menu select Single Sign-on

5. Select SAML option

6. Open the Elements Corporate Management application and select the Config page. The URLs required for the following section are displayed

7. In the Azure AD Application SAML setup page, on section 2, Domains and URLs, provide the following:

In the Identifier (Entity ID) paste the Metadata URL from the Config page in Elements

In the Reply URL (Assertion Consumer Service URL) paste the Single Sign On URL from the Config page in Elements

8. In section 3 change the User Identifier, select from the drop down the user.mail option

9. From section 4 download the Metadata XML file

10. In Elements on the SSO Config Page, enter a value into the Identity provider name e.g. Azure.

11. Upload the certificate by selecting the Metadata.xml file downloaded from Azure

12. Submit the form

SAML is now enabled

13. Make sure appropriate users or user groups are assigned to the Elements application in the Azure Active Directory.

You can read how to do it in Azure's support article.

What if the certificate has expired?

If your certificate has expired, you will need to generate a new one in Azure. Then, in Elements you will need to select "Delete Identity Provider" and create a new connection with the refreshed certificate.

End User Access

When users want to log into Elements from the login page, they just need to provide their email address (for the Elements account) and click next. The system will then verify if that user is part of an active Corporate Management with SSO enabled, and if so will take them to their provider login page (or straight to the application if the user is already logged in with the provider).


Configuring SAML for Okta

Prerequisites

  • You have to be logged into OKTA to be able to download metadata.xml

Instructions

The SAML integration guide is available on the OKTA site at the following URL (Log in to OKTA Admin App to be able to fetch the metadata.xml):
https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Elements-cloud.html

You must ensure you select the correct instance (EU or US) that your account is using when setting up. You can tell from the Elements domain which instance this is:

Configuring SAML for Google

Prerequisites

Configuring SSO with Google

First, you will have to create a new SAML app in your Google Workspace called "Elements". Read this google support article on how to set up your own SAML applications.

  1. When you click to add a new SAML app, select the "Setup my own custom app" in the bottom-left corner of the modal:

2. From the 2nd screen, click to download the XML certificate (below entity ID):

3. On the 3rd screen, name the application Elements and provide a description or logo if you want to (not mandatory).

4. At this point, open Elements app in the separate tab. Go to your Corporate Settings, then choose "Config" option in the left menu:

5. Click "Choose file" and upload the certificate file you downloaded in step 2. Provide Identity Provider Name : "Google" and click "Submit".

6. In your Google Workspace, click next in the custom SAML app wizard. When you see the screen below, paste the ACS URL & Entity IDs from the Elements Config page (named Single Sign ON URL and Metadata URL respectively)

7. Click "Next". No custom attribute mapping is required. Simply click finish and the SSO should be configured between your Google Workspace and Elements.

Overriding SAML (SSO) as Corporate admin

As a corporate admin, you can access Elements without using the SAML provider if required. To do that, follow this link: https://app.q9elements.com/signin?pw=true

Did this answer your question?