Skip to main content

Okta Integration

Introduction

This guide will walk you through the steps necessary to allow your team to sign in to Courier with Okta.

Prerequisites

  • An Okta account with Admin privileges.
  • Each user must be invited to courier via email before they can log in with Okta.
  • Some of these steps require information to be received from and sent to courier. Before continuing, contact Courier support and ask for assistance in setting up Okta Sign in.

Set Up

  1. Navigate to the Applications > Applications section of the Okta admin panel
  2. Hit the "Create App Integration Button":
Create App Integration button.
  1. Select SAML 2.0 and hit "Next"
  1. Enter "Courier" as the app name and optionally provide the Courier logo (available after the screenshot) then click "Next"
Courier Logo
  1. Contact Courier support for a Single sign on URL and an Audience URI. Enter them in their respective fields under SAML settings.
SSO URL and Audience URI fields
  1. Under the "Attribute Statements" section, enter the following information:
  • Name: id Value: user.id
  • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Value: user.email (Name format can be left as Unspecified)
Okta attribute statements.
  1. Hit the "Next" button towards the bottom of the page
  2. Under the "Application Feedback" section, select "I'm an Okta customer adding an internal app" and hit "Finish":
Okta feedback form
  1. From the "Sign On" tab of the new Courier application integration, find the Identity Provider metadata hyperlink. Copy the link address and send it to the Courier support team member
Identity Provider metadata link

That's all thats needed to allow sign in with Okta. Be sure to assign users using the Assignments tab of Courier App Integration.

Migrating Users To Okta

  1. From the Settings > Security page, Ensure that "Require Google SSO" is not checked
  1. From the Settings > Team page in Courier, remove and then re-invite users who should sign in with Okta

After the invites are sent

To accept an Okta invitation users should follow these steps:

  1. Sign out of Courier
  2. Click the "join" button from the email invite
  3. Enter your work email (the email address your invite was sent to)
  4. Hit continue

Logging in to Courier using Okta after accepting the invite

Users with Okta logins to Courier must use the email login process to access the Business account.

User Provisioning with Okta SCIM v2

  1. Contact Courier support for a SCIM enpoint URL and bearer token
  2. Navigate to the Courier App from the Okta admin panel
  3. Navigate to the provisioning tab and click "Edit"
  1. Enter the URL provided by Courier into the "SCIM connector base URL"
  2. Enter userName into the "Unique identifier field for users"
  3. Check "Push New Users" and "Push Profile Updates" for the "Supported provisioning actions"
  4. For "Authentication Mode" select HTTP Header
  5. Enter the Bearer token provided by Courier
  1. Hit "Save"
  2. After 30 seconds the provisioning tab should have a "To App" section on the left. If it doesn't, try refreshing the page. Once it appears select it and hit the "Edit" button
  3. Check the "Create Users", "Update User Attributes", and "Deactivate Users" features and hit save
  1. Using the side menu navigate to Directory > Profile Editor and hit the edit profile button of the Courier App
  1. Hit the "Add Attribute" button
  1. Enter the following values:
    • Data type: string
    • Display name: Role
    • Variable name: role
    • External name: role
    • External namespace: urn:ietf:params:scim:schemas:core:2.0:User
    • Description: Courier Role
  1. Check the "Define enumerated list of values" checkbox and enter the following values:

    • Display Name: Admin, Value: ADMINISTRATOR
    • Display Name: Manager, Value: MANAGER
    • Display Name: Developer, Value: DEVELOPER
    • Display Name: Designer, Value: DESIGNER
    • Display Name: Support, Value: SUPPORT_SPECIALIST
    • Display Name: Analyst, Value: ANALYST
  2. Check the "Attribute required" checkbox and hit "save"

Note: If users were already assigned to the Courier app before provisioning was setup, you will need to edit their assignment and update their role.

Provisioning is now enabled. Changes to user assignments in the Courier Okta app will automatically be reflected in the Courier Workspace. Users will receive an invite via email to Courier when added. They are automatically removed from the Courier Workspace when no longer assigned in Okta.