Single sign-on (SSO) means that a user can log in using one identity provider (in this case, Okta) and access another application as well, without having to enter their credentials again for the second platform. You can set up SSO between Okta and iOn as shown below.


Prerequisites


The following are required in order to configure SSO between Okta and iOn:


  • You will need to have administrative roles in both your Okta instance and iOn.
     
  • You must be able to configure your Okta instance to enable OpenID Connect (OIDC) integrations and have user permissions to create new application integrations (as well as sufficient privileges to configure the SSO integration with iOn).
     
  • Your user accounts must be set up in iOn using an email address for usernames. The email domain needs to be unique, one that has not been previously configured for SSO with iOn.
     
  • You must assign (and maintain) permissions and roles for users in iOn. The Okta integration will be used for authentication purposes only.

Note: Part of the SSO configuration process outlined in this article is in CTC Admin, not iOn. If you have an iOn account but not a CTC Admin account, contact your CalAmp representative for assistance.

Beginning Your Okta Configuration


To start your SSO setup, follow these steps in Okta:


  1. Log in to Okta at https://developer.okta.com/login.
    Note: If you just want to test the integration, you can sign up for a trial Okta account at https://developer.okta.com/signup.
  2. Navigate to Applications >> Applications.
     
  3. Click Create App Integration.
     
  4. In the Sign-in Method section, click OIDC - OpenID Connect.
     
  5. In the Application Type area, click Single-Page Application.
      
  6. Click Next.
     
  7. On the Application page, type the name you want to use for your integration in the App Integration Name field, such as "iOn Okta Application."
     
  8. In the Grant Type area, make sure that Refresh Token is selected.
      
  9. In the Refresh Token Behavior section, select Rotate Token After Every Use.
      
  10. In the Login section, enter https://ion.calamp.com/login?oidcEnabled=true in the Sign-in Redirect URIs field.
     
  11. Enter https://ion.calamp.com?oidcEnabled=true in the Sign-out Redirect URIs field.
     
  12. Click the Login Initiated By drop-down arrow and select App Only.
      
  13. In the Trusted Origins area, enter https://ion.calamp.com in the Base URIs field.
     
  14. Select the Controlled Access radio button for the level of access you want to give your users. (For example, choosing Allow Everyone in Your Organization to Access will grant all your users permission to use the platform.)
      
  15. Click Save.


Adding Users


You can add users in your organization who can access iOn as follows:


  1. In Okta, navigate to Applications >> Applications.
     
  2. Select the name of the application you used in step 7 in the preceding section.
     
  3. Click the Assignments tab.
     
  4. Select People in the left pane to add users individually, choosing their names on the right.
      
  5. Select Groups on the left to add groups of users in the right pane.


Enabling SSO in CTC Admin

Note: Yes, the procedure below is performed in CTC Admin, not iOn or Okta. As mentioned earlier, if you have an iOn account but not a CTC Admin account, contact your CalAmp representative for assistance in configuring SSO.

The next step in the process is to enable SSO in CTC Admin. You do so as follows:


  1. Log in to CTC Admin. (See Logging In and Out if needed.)
    Note: Your CTC Admin role will need to have Admin rights.
  2. Click  on the left sidebar menu.
     
  3. Click Accounts on the flyout menu that appears.
     
    The Accounts screen will appear.
      
  4. Click Edit at the top right.
     
    The Edit Account dialog box will appear.
        
  5. Enable the Enterprise Account toggle.
     
    This should make a new section appear for configuring SSO.
    Note: You may also need to enable the SSO Configuration toggle to make the fields below be displayed.
     
  6. In the Discovery Endpoint field, enter your OIDC discovery endpoint URL from Okta.
    Note: You can find this endpoint in Okta by following these steps:

    1. Navigate to Applications.
       
    2. Select the application you are configuring SSO for.
       
    3. On the General tab, find the Issuer URL value, which is often the discovery endpoint. (It will end in /.well-known/openid-configuration.)
       
    4. Copy this value and paste it in to the Discovery Endpoint field in the Edit Account dialog box.
       
      If you cannot find the Issuer URL value on the General tab, you can also retrieve the discovery endpoint by appending /.well-known/openid-configuration to your Okta domain. (For example, if your Okta domain is https://your-okta-domain.okta.com, your discovery endpoint will be https://your-okta-domain.okta.com/.well-known/openid-configuration.)
  7. In the Domains field, enter the email address domain for your user accounts (such as yourbusiness.com).
    Note: This value must be unique. There can't be another organization that has this domain associated to an account in CTC Admin.
  8. Click the SSO Mode drop-down arrow and select how you will allow your users to log in to iOn, given these options:
     
    • Lax: Users can be authenticated with either SSO or a traditional username/password login.
       
    • Strict: Users can log in ONLY using Okta SSO.
       
  9. Click the APP List drop-down arrow and select iOn.
     
  10. In the Client ID field, enter the Client ID value from Okta.
    Note: You can find this in the Client Credentials section of the General tab.
     
  11. Click Done.