If you’re looking for a way to get started with securing access to your trees via Single Sign-on, you’ll first need to have an Identity Provider to manage your logins. Okta is a great service – it’s easy to set up, and very popular. This article will show you how to get Okta and Zingtree working together.
Set Up Overview
Configuring SSO requires Okta and Zingtree to share information with each other:
- Okta needs information about Zingtree.
- Zingtree needs information about Okta.
Once you have Zingtree and Okta successfully working together, you can limit access for authors and/or employees or agents.
For the setup, we recommend keeping two browser tabs open – one in Okta, and one in Zingtree.
To start, in the Zingtree top menu, go to Account, Single-Sign-on. You’ll see something like this:
You can switch between setup for Agents or Authors. Switch to Author setup by clicking this:
Switch back to Agent setup by clicking:
In the above screenshot, you can see the parameters (specific to your organization) to share with Okta. Let’s use this information to set up the Okta side:
- If you haven’t already created a free Okta account, do it now.
- Go to the Okta Dashboard.
- Click Add Applications under Shortcuts.
- Click Create New App.
- Choose SAML 2.0 as the sign-on method, and click Create.
- In the General Settings, give your application a name (like “Zingtree”), and click Next.
- Under SAML Settings, configure it as shown below. For the Single Sign-on URL, use Zingtree’s Login URL. For the Audience URI, use Zingtree’s Entity ID.
- Click Next to finish the SAML setup.
Now, let’s get some information from Okta:
- In Okta, click Applications from the top menu, and go to Applications.
- Click the new Zingtree application we created.
- Click Sign on, then View Setup Instructions. Keep this page open in a browser tab.
- Now go back to the Zingtree tab, and click Edit Identity Provider Data.
- For the Zingtree Entity ID, use the Okta Identity Provider Issuer.
- For the Zingtree Login URL, use the Okta Identity Provider Single Sign-On URL.
- Copy the Okta certificate into the Zingtree certificate field.
- Click Save Identity Provider Settings.
OKTA Setup for Embedding
If you’re embedding trees in another page, or using an integration via Zendesk, Salesforce, Freshdesk or other apps, you may also need to tell OKTA allow for CORS requests. OKTA describes this here.
Here’s how to setup CORS:
- In your OKTA admin, go to Security, API:
- Go to Trusted Origins, and click Add Origin:
- Set the origin URL to https://zingtree.com, and tick both Type options.
- Click Save.
Testing Your SSO Setup
Once you’ve set up your Identity Provider and Zingtree for SSO, you can test from Zingtree as follows:
- In Zingtree, go to Account, Single Sign-on.
- Click the orange Test Agent Login or Test Author Login button at the lower right of the page.
From here. you can test logging into Okta from Zingtree. If you’re already logged in, the test will just return your email or another identifier from Okta. If you’re not yet logged in, the Okta’s login screen will appear, and then you will be returned to the Zingtree SSO test page after logging in.
Enabling SSO for Agents/End-Users
Once everything is working, in Zingtree go to Account, Single Sign-on. Click Enable Agents:
Next, you need to restrict access to each tree as follows:
- Go to My Trees, and select the tree that you want to require SSO login.
- Click the Settings tool, and you’ll see something like this:
- Check Require Single Sign-on (SSO) Login to Access.
- Click Update Settings.
Note: Once SSO is set up, any new trees created will have SSO required by default.
Enabling SSO for Authors
Once SSO for authors is set up and working, you’ll need to enable it as follows:
- Go to Account, Single Sign-on.
- Click Switch to SSO for Authors.
- Make sure Enable Authors is checked.
One More Step: You also need to add authors to your organization via Account, My Authors. They will not be required to use a Zingtree login to gain access, but this also validates them as a person who has access to your organization’s trees.
Configuring Okta for Embedding or Pop-up Overlays
By default, Okta doesn’t allow logins from iFrames. You can override this as follows:
- In Okta, select Settings, Customization.
- Make sure Allow iFrame Embedding is selected.
Any questions? Don’t hesitate to reach out.
This article was originally published in 2017 and has been updated for accuracy.