Pinpoint now supports SAML providers including Okta for Single Sign On.
Steps to configure Pinpoint
1. Log in to Pinpoint as a user who has the role Company Manager
2. On the left hand side, in the menu under Settings, click Integrations
3. If you do not see the SAML Integration listed, please contact your Pinpoint service representative and ask them to enable the SAML integration for your company.
4. Click Configure on the SAML Authentication integration.
5. You will be shown a list of URLs. At this stage we suggest you open an additional window and follow the steps in Okta until the next section. You will be copy and pasting some of these details into Okta.
Steps to configure Okta
1. Log in to Okta admin panel
2. Go to Applications and click 'Add application'
3. Click 'Create New App'
4. Select platform 'Web' and sign in method 'SAML 2.0', then click Create
5. Fill in:
App name: Pinpoint
Upload the app logo (ask Customer Service for one of these), click Upload
Single sign on URL: [Copy Consumer URL from Pinpoint]
Audience URI: [Copy Entity ID from Pinpoint]
NameID Format: EmailAddress
Application username: Email
7. Attribute statements → Add Attributes
8. Click Next, select 'I'm an Okta customer...', click Finish
9. Click the View Setup Instructions button
10. At the bottom of the instructions page, find the IDP Metadata XML, select all and copy it.
Back over to Pinpoint
1. Paste the contents of the XML into the Metadata field and press Save
2. Contact your Pinpoint service representative and let them know you have completed this step. They will then activate the integration.
Back to Okta
1. Configure user access to the Pinpoint application via your own internal policies. In my screenshot examples, I have created a group called Pinpoint, and I have added one user and one application (Pinpoint).
2. Once the Pinpoint representative has enabled the integration, and you have set up the groups who have access to the Okta application, you will now be able to login.
3. Test this out by logging out of Pinpoint. If you then switch back to the Okta User Portal, clicking on the Pinpoint link should now log you in automatically.
4. Please note that if a user does not yet have an account in Pinpoint, they will see a notice screen instead. Add this user to Pinpoint manually for single-sign on to work.
Our current SAML implementation does not yet support Just in Time account creation ('Provisioning'). This means that a user will only be logged in to Pinpoint if their account has already been created. If a client would like this functionality, please talk to the Dev team about this, and we will discuss requirements. This guide does preemptively configure Okta to include the First and Last name when it is authenticating, to allow this possibility in the future.