This guide describes how to setup and configure Single Sign On (SSO) and User Provisioning from a variety of Identity Providers.
System prerequisites
Identity provider that supports SAML for Single-Sign-On a
Identity provider that supports S SCIM for User Provisioning
Permission prerequisites
User with corporate admin permission in Elements
Supported identity providers
The following Identity Providers have been tested against:
SCIM (User Provisioning)
Azure AD
OKTA
SAML (SSO)
Azure AD
Google
OKTA
OneLogin
Open relevant sections below to learn how to set up user provisioning and SSO for different providers
Configuring User Provisioning with Azure Active Directory
Configuring User Provisioning with Azure Active Directory
Prerequisites
Azure AD Premium
Elements added as an application to Active Directory. See this article to configure and setup Elements as an application and SAML for SSO.
an Elements Corporate Management with at least one connected domain
an Elements account which has the right to administer the Corporate Management environment
Steps to enable SCIM
1. Open the list of Enterprise applications in Azure Active Directory and select the Elements application (it will have whatever name was given to it when it was setup).
2. Select the Provisioning menu option
3. Open the Elements Corporate Management application and select the Config page and Provisioning tab. The URL and key required for the following section are displayed.
4. In the Azure AD provisioning page, enter the following
In the Tenant URL field enter the the Base URL from the Elements provisioning page
In the Secret Token field enter the Token value from the Elements provisioning page
Click the Test Connection button to check that Azure AD can connect to Elements
5. Setup the synchronization settings
Turn provisioning on.
6. Assign Users to the Elements application
Configuring User Provisioning with Okta
Configuring User Provisioning with Okta
Prerequisites
You have a Corporate Management set up within the Elements.cloud application. Contact success@elements.cloud to set up Corporate Management.
You are the Corporate Management Admin.
At least one domain has been verified.
Features
Invited User Administration is supported for the Elements application.
This enables OKTA to:
update user profiles for users who are in an invited state in Elements (including those who have not accepted invitations); and
move a user who has not accepted an invitation and make their account active.
The following provisioning features are supported:
Push New Users
New users created through OKTA will also be created in the Elements application.
TIP users created in OKTA who have an email that is not part of a verified domain in the Elements Enterprise will not be added to the Elements environment.
Push Profile Updates
Updates made to the user's profile through OKTA will be pushed to the Elements application.
TIP only users with an email whose domain is verified in the Elements Enterprise will be updated in Elements.
Push User Deactivation
Deactivating the user or disabling the user's access to the application through OKTA will block the user in the Elements application.
Known Issues
If the user email is changed in OKTA (but not the username), it will not update the email of the user in Elements. The user is still connected and authentication will still work, but all notifications in Elements will still be sent to the original email address
If the username changes in OKTA, this will result in a new user account being created in Elements with the email. If a user account in Elements already exists with this email, then it merges the new OKTA user with the existing Elements account
Configuration Steps
Configure your Provisioning setting for Elements as follows:
In the Enterprise Management app in Elements, go to the "Config" page from the right menu and select the "Provisioning" tab.
2. Select OKTA from the Identity Provider dropdown - this is the default. This will then show the SCIM Base URL and the API token required by OKTA.
3. Return to OKTA and log in as an Administrator. In the Admin area, go to the Applications menu and click on the Elements.cloud application.
Go to the Provisioning tab -> To App.
4. Scroll down until you see the Elements.cloud Attribute Mappings. Click on Go to Profile Editor.
5. In the Profile Editor, click on Map Attributes.
6. In the mappings page, click on the Okta to Elements.cloud tab. For the userName attribute, click on Override with mapping. Map the userName to user.login and make sure to choose the Apply mapping on user create only option.
7. Go to the Provision tab -> API Integration
Enable API integration checkbox and entry of the token from Elements.
The token can be tested using the API credentials with the Test API Credentials button.
Then click Save.
8. Done.
Configuring SAML for Azure AD
Configuring SAML for Azure AD
Prerequisites
Azure AD Premium
an Elements Corporate IT Management with at least one connected domain
an Elements account which has the right to administer the Corporate IT Management environment
Steps to enable SAML
Open the Azure Portal, select Azure Active Directory and:
1. From the Enterprise applications, select New Application
2. Select a Non-gallery application
3. Provide a Suitable name e.g. Elements
4. From the Application Manage menu select Single Sign-on
5. Select SAML option
6. Open the Elements Corporate Management application and select the Config page. The URLs required for the following section are displayed
7. In the Azure AD Application SAML setup page, on section 2, Domains and URLs, provide the following:
In the Identifier (Entity ID) paste the
Metadata URL from the Config page in Elements
In the Reply URL (Assertion Consumer Service URL) paste the
Single Sign On URL from the Config page in Elements
8. In section 3 change the User Identifier, select from the drop down the user.mail option
9. From section 4 download the Metadata XML file
10. In Elements on the SSO Config Page, enter a value into the Identity provider name e.g. Azure.
11. Upload the certificate by selecting the Metadata.xml file downloaded from Azure
12. Submit the form
SAML is now enabled
13. Make sure appropriate users or user groups are assigned to the Elements application in the Azure Active Directory.
You can read how to do it in Azure's support article.
What if the certificate has expired?
If your certificate has expired, you will need to generate a new one in Azure. Then, in Elements you will need to select "Delete Identity Provider" and create a new connection with the refreshed certificate.
End User Access
When users want to log into Elements from the login page, they just need to provide their email address (for the Elements account) and click next. The system will then verify if that user is part of an active Corporate Management with SSO enabled, and if so will take them to their provider login page (or straight to the application if the user is already logged in with the provider).
Configuring SAML for Okta
Configuring SAML for Okta
Prerequisites
You have to be logged into OKTA to be able to download metadata.xml
Instructions
The SAML integration guide is available on the OKTA site at the following URL (Log in to OKTA Admin App to be able to fetch the metadata.xml):
https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Elements-cloud.html
You must ensure you select the correct instance (EU or US) that your account is using when setting up. You can tell from the Elements domain which instance this is:
Configuring SAML for Google
Configuring SAML for Google
Prerequisites
Elements Enterprise plan
Corporate Management set up for your Elements work environment
an Elements account which has the right to administer the Corporate IT Management environment
Configuring SSO with Google
First, you will have to create a new SAML app in your Google Workspace called "Elements". Read this google support article on how to set up your own SAML applications.
When you click to add a new SAML app, select the "Setup my own custom app" in the bottom-left corner of the modal:
2. From the 2nd screen, click to download the XML certificate (below entity ID):
3. On the 3rd screen, name the application Elements and provide a description or logo if you want to (not mandatory).
4. At this point, open Elements app in the separate tab. Go to your Corporate Settings, then choose "Config" option in the left menu:
5. Click "Choose file" and upload the certificate file you downloaded in step 2. Provide Identity Provider Name : "Google" and click "Submit".
6. In your Google Workspace, click next in the custom SAML app wizard. When you see the screen below, paste the ACS URL & Entity IDs from the Elements Config page (named Single Sign ON URL and Metadata URL respectively)
7. Click "Next". No custom attribute mapping is required. Simply click finish and the SSO should be configured between your Google Workspace and Elements.
Overriding SAML (SSO) as Corporate admin
As a corporate admin, you can access Elements without using the SAML provider if required. To do that, follow this link: https://app.q9elements.com/signin?pw=true