Teem’s integration with Okta allows mutual customers to log in to Teem via Okta.
In order to use Okta SAML and/or User Provisioning you’ll need to fulfill a few requirements as listed below:
- SAML is not available with all subscription levels. See our pricing page or reach out to your Teem representative for more information
- The Teem account you’re using to log in must have admin-level permissions
- Your company’s Teem account should have its structure built out to match your organization’s physical space.
- You must have Admin level permissions within your Okta environment.
- Be logged into your Teem account and Okta account within the same browser session.
Got all that? Now you’re ready to set up and use Okta services!
Okta SAML Integration
Set Your Subdomain
Navigate to teem.com and click on Manage from the menu to the left. Click on Teem Account, then Company Details. In the field for Teem SSO Sub-Domain enter your preferred subdomain. This is typically the name of your organization. For example, if my company was called Orca Panda, I'd enter "orcapanda" in the subdomain field, and it would make my subdomain site https://orcapanda.teem.com. Heads up: spaces and symbols are not allowed in subdomains.
Add the EventBoard SAML app within your Okta Admin Dashboard
Get Okta Settings
Go into the EventBoard SAML app in Okta, and under Sign On, select View Setup Instructions. This will provide us the details we need to associate EventBoard to use Okta.
The key things that you need here are 2, 3, and 4. Keep this open.
Add Okta Settings to EventBoard
Click on Manage → Apps & Integrations → 3rd Party Apps and select the Activate button under the SAML logo.
You will see the following form:
Enter the following:
Friendly Name to call this SAML provider is arbitrary so that you can identify this account. You can put whatever you like for the name.Please note: you should only have one SAML account, and we won't be able to differentiate between the two.
Entity ID is copied from the Okta Setup Instructions accessed before
Url is the Sign-in URL from the Okta Setup Instructions accessed before
TheX509cert is the text from the .cert file that is accessed through the setup instructions. To get that open the .cert file linked in the the Setup Instructions, open with TextEdit, Notepad, or your favorite text editor, copy the contents between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- (do not include it those markers) and paste that in the X509Cert box.
If you go back to the Integrations page the SAML settings can be edited or viewed by clicking on Settings.
Navigate to your subdomain login page that you set up in the first step. https://<subdomain>.eventboard.io/login. This will navigate you to your identity provider and if your email matches up and you are authenticated to Okta, you will be logged in.
Enabling IdP-initiated Login
First, we need to get your default relay state. In Integrations (noted above) select Configure and then look in the information section. The UUID is shown there, and you will need to copy this.
Now go to the Okta admin portal, go into the EventBoard SAML application, and under Sign On select the Edit button for Settings.
Paste in the Default Relay State that you obtained, change the Force Authentication to match your needs, and then select save. This will completed the IdP-initiated Login.
Provisioning Users with Okta
This section goes through the instructions of setting up provisioning of EventBoard users with Okta. This step should be completed after Teem and Okta are integrated.
With Okta we are able to support the following provisioning features:
- Create Users
- Update User Attributes
- Deactivate Users
We do not have the ability to sync password. This is a design choice by Teem. Users that are configured by Okta can not have a password set, and can only use Okta login to access
Configure your Provisioning settings for EventBoard as follows:
1. Check the Enable provisioning features box
2. In the API Authentication section, click Authenticate with EventBoard SAML
3. Within Teem select Authorize
4. You are now authenticated, and can now select which provisioning features to enable.
5. Within the Provisioning tab check the features you would like to enable and select Next.
6. You can now assign users and sync groups to the app as needed.
This list of common errors can allow you to troubleshoot on your own.If you have other problems please reach out to Teem support.
- We do not currently support syncing the Admin status from Okta into Teem
- I get a 500 error (page that says we are performing maintenance) during IdP-Initiated login. This is often caused by a missing RelayState.
- Users get an error Teem account not found during IdP or SP initiated login. This can happen for a couple reasons:
1. Has the user been successfully provisioned from Okta so that an admin can see the user within their Teem Dashboard? If they have not please provision them OR enable JIT provisioning (checkbox at the bottom of the Okta Integration Settings page in your Teem admin dashboard).
2. The email is not coming within the SAML Assertion. Please use SAML Tracer, a firefox plugin, to get a SAML Trace and see the assertion. You can use this to send troubleshooting to both Teem and Okta. If the Assertion does not contain the email we don't know who to actually log on.
With these steps done, your users can now sign in or authenticate using Okta!
We hope this helps! If you have any questions, please feel free to reach out to us by email or phone at: firstname.lastname@example.org, 415-830-6989.