Single Sign-on is a useful feature to increase security and user adoption of new tools. It means that your employees can auto-login to connected applications using their default company password, which is for instance stored in your LDAP or Active Directory system. While Small Improvements doesn't integrate with LDAP or AD directly, it does integrate with a middleware called Okta.
- Okta is a web based middleware that connects the cloud applications you use with your internal Active Directory or LDAP servers. Okta has tons of features, but the one you need to enable is the Small Improvements app, so that your SI users can log in via Okta (using SAML 2.0 behind the scenes)
- Once configured, your staff can either access Small Improvements from the Okta dashboard or, if they access Small Improvements via your subdomain (e.g. https://mycompany.small-improvements.com) then we'll rely on Okta to ask for the password (if they aren't logged in already)
Important: The Okta integration is only for SSO. We do not automatically synchronize your user accounts between systems yet. This is planned for the future, but right now you will have to keep your Small Improvements user accounts in sync with your directory service. If a user doesn't have an account in SI, then they won't be able to log in. You can create user accounts manually, or send us an Excel spreadsheet to upload your users.
How to set it up in less than 5 minutes
First, log in into Okta as an administrator. Locate the "add application" entry, and search for Small Improvements in the Application Directory.
Next, type in your Small Improvements subdomain. If you're using https://mycompany.small-improvements.com, then type in "mycompany" here. If you don't have a SI subdomain yet, please contact SI staff to set this up for you. It's usually complete within an hour or two, but please allow for one business day.
Continue with the Okta setup. On the subsequent details screen, select SAML 2.0. Leave the default relay state empty, it does not apply in SI.
The button 'View Setup Instructions' will take you to a documentation page that lists all the settings you'll need to enter into Small Improvements now.
Follow the comprehensive Okta documentation, and then you'll be done with the basics within minutes.
Now add user-accounts to Small Improvements via Administration -> Company Directory or import them from an Excel worksheet. Note: A user needs to be created in SI before he/she can login.
Adjusting the welcome email
Important: You must adjust some emails to avoid confusion!
- Whenever you invite staff into Small Improvements, they receive an email telling them about Small Improvements. This email also explains how to define their new password. But since they will use Okta's password instead, that email template needs to get changed!.
- Please locate the "Access to Small Improvements: Welcome Mail" email template, and remove any mention passwords setting. You can write that people should use the password defined in your intranet instead.
For this to work you will need a Small Improvements subdomain. Just let us know and we'll have it up and running within a business day.
- Also, you will of course need to set up an account with Okta.
- Remember: The Okta integration is only for SSO, it doesn't yet help with user management. All users need to have an account on both systems already.
- And before you roll out the Okta integration, you should definitely test it with two or three accounts, just to be sure everything it set up properly!
In case something doesn't work with a login via Okta (for instance because a user exists in SI but not in LDAP, or Okta doesn't pull it from LDAP), and you still want that person to be able to log in, please manually define a password for them: Go to the SI user profile page, locate "admin" in the dropdown, and change their password.
Tell the person their new password, and direct them to log in via the main SI website: https://www.small-improvements.com. Don't use your company-specific subdomain, since that will typically redirect to Okta instantly unless you enabled the "log in with username/password"-option already. The www option will allow the user to log in manually while keeping the subdomain on "auto-login"