This article offers answers to frequently asked questions (FAQs) about implementing single sign-on (SSO) between Okta and iOn.
Can a single email domain be used for configuring SSO for both iOn and CTC Admin?
Yes, you will need to configure multiple Okta application integrations. A single account can be configured to point to multiple Okta apps (one for CTC Admin and one for iOn).
Does Strict mode prevent login for users that do not exist in Okta?
Yes, but it takes some time to propagate.
Do users need to be set up in both Okta and iOn?
Yes, you still have to maintain users in both your Okta instance and iOn to enable assigning roles and permissions.
Does the email domain for the SSO account setup need to be unique?
Yes, the email domain must be unique, and your usernames need to be email addresses with that domain to enable SSO account identification via username input.
Can users log in to iOn with an account whose domain does not match the configured SSO domain?
Strict SSO mode will prevent this, only allowing users with a matching domain to log in to your account. Lax SSO mode will route the user to a username/password page.
Will users still be able to log in with iOn credentials if they are removed from our Okta account?
Users with the domain configured for SSO will always be routed to Okta for authorization; users in an account that does not match the setup domain will be able to log in if you chose the Lax SSO mode during setup.
Is an SSO configuration inheritable for subaccounts?
We are currently testing to confirm if inheritance to subaccounts will be functional.
If I only have a CalAmp iOn account and do not have a CTC Admin account, can I configure SSO?
If you don't have a CTC Admin account, contact your designated CalAmp representative for assistance with configuring your account to enable SSO.