Okta

Single Sign-On and user provisioning with Okta

The integration with Okta lets you use Okta as your Single Sign-On (SSO) and user provisioning service for accessing Forecast. This adds an extra layer of security for enterprise customers.

For users to be able to login to Forecast with their Okta account, they need to be created in Forecast with the same email address as their Okta user. This can be setup manually in Forecast or provisioning can be used to automatically create users in Forecast from Okta.

This integration with Okta is currently under development and is not available to customers yet. Contact to learn more.

Guide to setting up SSO

1. Go to the “Admin” section of Okta

2. Go to “Applications”

3. Click “Add Application”

4. Click “Create New App”

5. Select “OpenID Connect” and click “Create”

screen1

6. Name the application “Forecast” and upload the picture located here: https://app.forecast.it/forecast_logo_okta.png

7. Set “Login redirect URIs” to “https://graphql.forecast.it/okta/oauth” and click “Save”

screen2

8. Edit “General Settings” and fill in the details as listed below

screen3

9. Copy the “Client ID” and “Client secret”. These are needed in Forecast.

10. Naviagte to https://app.forecast.it/settings/catalog/okta (If you do not see any input fields, please contact Forecast to get these enabled)

11. Fill in your “Okta account URL”, “Application client id” and “Application client secret” and click “Save”.

12. To allow users to login to Forecast from Okta, simply assign them to the application in Okta.

Guide to setting up provisioning

Features

The following provisioning features are supported:

  • Push New Users - New users created through OKTA will also be created in Forecast.
  • Push Profile Updates - Updates made to the user's profile through OKTA will be pushed to Forecast.
  • Push User Deactivation/reactivation - Deactivating the user or disabling the user's access to the application through OKTA will deactivate the user in Forecast.
  • Import New Users - New users created in Forecast will be downloaded and turned in to new AppUser objects, for matching against existing OKTA users.

Requirements

Before you configure provisioning or SSO for Forecast, make sure you contact the Forecast Success Team and have them enable the Okta integration on your account.

Configuration Steps

1. Go to the “Admin” section of Okta

2. Go to “Applications”

3. Click “Add Application”

4. Find Forecast in the application catalog and click "Add"

5. Select "Do not display application icon to users" and "Do not display application icon in the Okta Mobile App". Also uncheck the "Automatically log in when user lands on login page"

Okta_setup_1

6. In the "Sign-On Options" screen, set the "Application username format" to Email.

To add the provisioning feature of the Forecast application, navigate to the Applications section in Okta and click the "Add Application" button.

Configure your Provisioning settings for Forecast account as follows:

1. Find your SCIM username and password in Forecast here: https://app.forecast.it/settings/catalog/okta

2. Go to the Forecast application inside Okta and select the Provisioning tab.

3. Click the "Configure API Integration"

4. Scroll down and select the Provisioning Features you want to enable.

Okta_setup_2

5. Click the "Enable API integration" and fill in the Username and Password received from Step 1.

6. Click the "Test API Credentials" and you should see a confirmation like this:

Okta_setup_3

Troubleshooting and Tips

If you find any problems, don't hesitate to contact us at info@forecast.it or on the chat.