Enabling SAML will affect all users who use this application, which means that users will not be able to sign-in through their regular log-in page. They will only be able to access the app through the Okta service.
Backup URL
4me provides the following backup log-in URL where users can sign-in using their normal username and password: [baseUrl]/access/normal.
For example, if your login page is https://acme.4me.com/login, your backup log-in URL: https://acme.4me.com/access/normal.
The Okta/4me SAML integration currently supports the following features:
For more information on the listed features, visit the Okta Glossary.
Sign in to your 4me instance.
Navigate to Settings > Single Sign-On, then follow the steps below:
Enabled: Check this box.
Remote logout URL: Copy and paste the following:
Sign into the Okta Admin Dashboard to generate this variable.
IP ranges: Specify IP ranges, if required.
SAML SSO URL: Copy and paste the following:
Sign into the Okta Admin Dashboard to generate this variable.
Certificate fingerprint: Copy and paste the following:
Sign into the Okta Admin Dashboard to generate this variable.
Click Save:
[OPTIONAL: JIT Provisioning] If you want to enable JIT: In Okta, select the Sign On tab for the 4me app, then click Edit.
Scroll down to the ADVANCED SIGN-ON SETTINGS section.
Select Enable from the Just-in-Time Provisioning drop-down list.
Click Save:
IMPORTANT: You must configure at least the organization custom attribute in order to use JIT (Just In Time) Provisioning. See the instructions below.
Done!
Make sure that you entered the correct value in the Base URL field under the General application tab in Okta. Using the wrong value will prevent you from authenticating via SAML to 4me.
For example, if your login page is https://acme.4me.com/login, your Base URL value is: https://acme.4me.com.
The following SAML attributes are supported:
Okta sends the following default attributes as part of the SAML assertion:
| Name | Value |
|---|---|
| jit | org.jit |
| name | user.fullName |
In addition to the default attributes, Okta supports the following custom attributes:
| Name | Value |
|---|---|
| supportID | appuser.supportID |
| job_title | appuser.job_title |
| locale | appuser.locale |
| location | appuser.location |
| time_zone | appuser.time_zone |
| organization | appuser.organization |
| site | appuser.site |
| manager | appuser.manager |
IMPORTANT: The Organization custom attribute is required. You must configure it in order to use Just-in-Time Provisioning.
Here is an example describing how to add and use the additional Organization attribute:
In Okta, navigate to Directory > Profile Editor.
Search for the 4me app, then click Profile:
Click Add Attribute, then enter the following:
Display Name: Enter a preferred attribute name. In our example, we used Organization.
Variable Name: Enter organization.
Important: In our example we are adding the organization attribute. You must use the following variable names (case-sensitive) for the custom attributes: supportID, job_title, locale, location, time_zone, organization, site, and manager.
Click either Add Attribute or Save and Add Another.
Note: Scope (optional): If you check User personal, the current attribute will be available once you assign the user to the 4me application and will not be available once you assign the group to the app.
Click Map Attributes:
Select the Okta to 4me tab.
Start typing the required attribute from the Okta Base User profile (or use the dropdown list) and select the attributes you want to map.
In our example, we have selected the Organization attribute, and then use the green arrows (Apply mapping on user create and update).
Click Save Mappings:
Click Apply updates now:
Okta will now pass the Organization attribute with the value of the Organization field from the Okta Base User Profile to 4me.
Open your 4me login URL.