Enabling Okta single sign-on

Enabling Okta single sign-on allows your users to seamlessly access ThingLink from their Okta dashboard while simplifying account provisioning. When enabled, users are automatically connected to your license upon signing in.

If you wish to fully automate account provisioning and create ThingLink accounts in advance, see SCIM provisioning for Okta.

Note that this feature is not publicly available yet. Contact your ThingLink account representative or submit a request here if you would like to enable it on your account.

How the integration works

Your users will be able to access ThingLink via the Okta User Dashboard based on your app assignment settings. When clicked, users will be asked to authenticate via Okta. Once authenticated, ThingLink will create an account for them and connect them to your organizational license, or sign them into their existing account.

New users are always added with a minimal access level (i.e., as learners or students depending on your license setup). ThingLink does not support role mapping at this stage.

How to set up the integration

Overview

Setting up the integration will require you to configure a custom OIDC application inside Okta and share the app's Client ID and your email domain(s) with the ThingLink team. You will then receive a unique Initiate login URI that you will use to finalize the app configuration.

Step 1: Create App Integration in Okta

Go to the Okta Admin dashboard. Open the Applications section and select Applications in the left-hand navigation menu, then click the 'Create App Integration button':

This will open up a new window. Select Sign-in method: OIDC - OpenID Connect and Application type: Web application, then click Next:

Step 2: Configure the integration in Okta

Finish the integration confirguration:

• App integration name: ThingLink. You may use a different name if desired.
• Logo (optional): you can download the logo here.
• Proof of possession: leave unchecked.
• Grant type: select 'Authorization code'. Leave other options unchecked. 
• Sign-in redirect URIs:
  • Set the redirect URI to https://www.thinglink.com/sso/oidc/callback
  • Leave the 'Allow wildcard * in sign-in URI redirect.' box unchecked.
• Sign-out redirect URIs (Optional): remove the default URI.
• Trusted Origins: leave empty.
• Assignments: configure assignments as desired.

Click Save to save the app. This will take you to the app configuration page.

Step 3: Share configuration details with ThingLink

Share the following with your ThingLink point of contact:

• Integration's Client ID
• Integration's  Client Secret
• Your Okta Issuer URL. Please see this page to learn how to check your Okta Issuer URL.
• All email domains and subdomains used by your users

Step 4: Finalize the integration configuration in Okta

ThingLink team will set up the connection on the ThingLink side, and you will receive a unique login URI.

Go to the Okta admin dashboard and open the application you configured for ThingLink, then click the Edit button under General Settings and adjust the app settings:

• USER CONSENT: leave at default values.
• LOGIN: set 'Login initiated by' to Either Okta or App.
• LOGIN: 'Application visibility': check the 'Display application icon to users' box.
• LOGIN: leave 'Login flow' at the default value (Redirect to app to initiate login)
• LOGIN: set the Initiate login URI to the URI you received from the ThingLink team.

Click Save to save the changes.

At this point, the app is configured and should appear in the Okta dashboard for all assigned users. If it does not, please check the app assignments or reach out to your ThingLink point of contact.