Setting up Okta

Pynt supports setting up external identity provider (IdP) for authentication, such as Okta. This allows organizations using Okta to control how their employees access Pynt and remove their need to manage any credentials.

The high-level steps to set SSO (Single Sign-On) with Okta are:

Add Pynt as an application in Okta
Set up SSO in Pynt
Add users to the Pynt application in Okta

Requirements

Verify you have administrator privileges for your Okta instance.
- Your role should include Application Administration
Verify you are an admin on Pynt and your organization has an active Enterprise license.

Step 1: Add Pynt as an application in Okta

Pynt supports only SP (Service Provider) initiated login, hence we'll add both a hidden SAML application and a visible Bookmark pointing to login.

Add a SAML app

Go to Okta's Admin Console, then Applications > Applications. Click Create App Integration, select SAML 2.0 as the Sign-in method and click Next.
Choose Pynt SAML for the App Name, and check Do not display application icon to users
Obtain the SAML settings from the Single Sign-On (SSO) section of Pynt's User Management page:
- Single sign-on URL - Assertion Consumer Services (ACS) URL
- Audience URI (SP Entity ID) - Audience
- Name ID Format
- Application Username
Fill out the Attribute Statements:
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname - user.firstName
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname - user.lastName
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress - user.email
In the Feedback screen, you can decide to fill the feedback or skip (by clicking Finish).
In the new app's Sign On tab, open the Metadata URL and save the contents as metadata.xml (or similar) in your computer (we'll use it in Step 2).

Create a Bookmark App

Go to Okta's Admin Console, then Applications > Applications. Click Browse App Catalog and search for Bookmark App. Click on Add Integration.
Choose an Application Label (e.g., Pynt) and fill https://app.pynt.io/login as the URL

Step 2: Set up SSO in Pynt

Mail support@pynt.io the metadata.xml file from the first step and ask to finalize the setup on Pynt's side.

If you want to limit specific domains for your organization (such as @company.com), include the list of these domains in your request.

(Optional) Step 3: Assign roles to users

Pynt allows Just-in-time role setting by passing the role SAML attribute during the login.

Search for the Pynt SAML profile in the Directory -> Profile Editor page
Once saved, head to the Pynt SAML application page, and click Edit on the SAML Settings
Move to the Configure SAML step by clicking Next. Under Attribute Statements add a new attribute named role which maps to appuser.role (the role suffix should match the name of the attribute you added earlier in the profile). Continue to save the changes.
When assigning users, you can choose which role to assign (the default will be user in Pynt, unless explicitly assigned.)

Step 4: Assign users to the Pynt application in Okta

Because our setup includes both a hidden SAML application and a visible bookmark app, the easiest setup will be to create a new group of Pynt users, assign both apps to the newly created group, and assign users to the group as needed.

Read more about users management in Okta's documentation.

PreviousSingle Sign-On (SSO)NextSetting up Entra ID

Last updated 20 days ago

Step 1: Add Pynt as an application in Okta

Pynt supports only SP (Service Provider) initiated login, hence we'll add both a hidden SAML application and a visible Bookmark pointing to login.

Add a SAML app

Go to Okta's Admin Console, then Applications > Applications. Click Create App Integration, select SAML 2.0 as the Sign-in method and click Next.

Choose Pynt SAML for the App Name, and check Do not display application icon to users

Obtain the SAML settings from the Single Sign-On (SSO) section of Pynt's User Management page:

Single sign-on URL - Assertion Consumer Services (ACS) URL
Audience URI (SP Entity ID) - Audience
Name ID Format
Application Username

Fill out the Attribute Statements:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname - user.firstName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname - user.lastName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress - user.email

In the Feedback screen, you can decide to fill the feedback or skip (by clicking Finish).

In the new app's Sign On tab, open the Metadata URL and save the contents as metadata.xml (or similar) in your computer (we'll use it in Step 2).

Create a Bookmark App

Go to Okta's Admin Console, then Applications > Applications. Click Browse App Catalog and search for Bookmark App. Click on Add Integration.

Choose an Application Label (e.g., Pynt) and fill https://app.pynt.io/login as the URL

(Optional) Step 3: Assign roles to users

Pynt allows Just-in-time role setting by passing the role SAML attribute during the login.

Search for the Pynt SAML profile in the Directory -> Profile Editor page

Add an attribute of type string, with the following set of values - user and admin

Once saved, head to the Pynt SAML application page, and click Edit on the SAML Settings

Move to the Configure SAML step by clicking Next. Under Attribute Statements add a new attribute named role which maps to appuser.role (the role suffix should match the name of the attribute you added earlier in the profile). Continue to save the changes.

When assigning users, you can choose which role to assign (the default will be user in Pynt, unless explicitly assigned.)