Okta Single Sign On (SSO) automatically signs users in without the need to enter a username or password. Client’s that utilize Okta, may elect to add Funnel to their corporate network to allow their users to access Funnel as they would other applications used onsite. To allow users to use Okta to sign in to Funnel, an admin must first add Funnel to their Okta instance. Funnel currently supports OpenID Connect with Okta, we do not support SAML. Below is a step-by-step to guide admins through this task. Click here for a word version of the job aid.

Setting Up Okta SSO  

Note for Funnel Okta SCIM app users: If the client has previously set up the Funnel Okta App via the Okta marketplace, they will need to set up a second app, as described here to allow for SSO from Okta. This is due to an Okta limitation, they are currently unable to automatically utilize OpenID Connect for SSO in SCIM applications.

1. Contact the Funnel Account Manager assigned to the client account and let them know they need to enable Okta SSO in Funnel  
2. The client will provide their Okta instance URL, typically something like https://COMPANYNAME.okta.com.
3. Funnel will provide the client with two values needed in the setup process:

• Login redirect URI
• Initiate Login URI

4. Once the values are received, the client will go to the Applications Admin in their Okta instance and choose Create New App

5. Select Platform as Web and Sign on method as OpenID Connect. Click Create. 

6. Enter Funnel Leasing as the Application Name and add the Login redirect URI provided. Click Save.

7. On the final step click Edit. In the Allowed Grant Types section, check the box next to Implicit (Hybrid).  

8. To allow users to login from Okta, click on Edit and under the Login section change Login Initiated by to Either Okta or App and set the Initiate Login URI to the value provided

9. On the final screen under Client Credentials, Okta will present a Client ID and Client Secret, copy those and provide them back to the Funnel Account Manager                                                                                                                                                                         
10. Once the Funnel Account Manager confirms set up, the Okta Admin will be able to assign the Funnel Application to users, and they should be able to log in through Okta.
11. Only users that have been previously set up in Funnel will be able to log in via Okta. To automate setting up users in Funnel via Okta, the client must also set up the SCIM integration.

Okta SCIM Setup

Doing the following will automate setting up users in Funnel via Okta.

1. Contact the Funnel Account Manager assigned to the client account and let them know they need to provide the client’s Okta Admin with a Bearer token
2. In the Admin section of Okta click Add Application
3. Search for the Funnel Leasing app, then click Add. The app will appear under the active applications lists and the Okta Admin can begin assigning it to end users
4. In Okta, go to the Provisionings tab and click Configure API Integration → Enable API Integration. A text field will appear where the Bearer token will be added
5. Click Save 
6. After configuring SCIM for the Funnel app in Okta, enable the following connection points:

• • Create Users - When this connection point is enabled, users will be created in Funnel when the app is assigned to them in Okta.
  • Update User Attributes - When this connection point is enabled, a user's attributes will be updated in Funnel when the app is assigned to them and any future attribute changes will automatically be synced to Funnel.
  • Deactivate Users - This connection point allows you to deactivate a user's Funnel account when the Funnel app is unassigned from them in Okta. Accounts will be reactivated if the app is reassigned.

SCIM Provisioning - Setting Users’ Role and Teams

Update the SCIM setup to set a user’s Funnel role, as well as the teams the user is associated with in Funnel, using attributes set on users in Okta.

1. Go to Funnel in the Okta Application Admin and go to the Provisioning Tab

2. In the Funnel Attribute Mapping click Go To Profile Editor                                                                                                                                                                                                  
3. To use an Okta user profile attribute to set the user’s Funnel role, click Add Attribute

4. Complete the Add Attribute form:

• • Date type: String
  • Display Name: Role
  • Variable Name: role
  • External Name: role
  • External Namespace: urn:ietf:params:scim:schemas:core:2.0:User

5. Click Save And Add Another, and add a second attribute for Teams, with the following attributes:

• • Date type: String Array
  • Display Name: Teams
  • Variable Name: teams
  • External Name: teams
  • External Namespace: urn:ietf:params:scim:schemas:core:2.0:User

6. Click Save, and then click the Mappings button.

8. Switch the toggle at the top to Okta to Funnel
9. Next to Role and Teams, select the Okta user profile attributes to map to those fields

9. Click Save, and send the Funnel Account Manager a list of the possible values that will be sent in the role and teams fields, and the Funnel Roles and Teams to map those values too.

10. Once the Funnel Account Manager confirms they have completed mapping the values on the Funnel side, users should be automatically created with the proper role and team teams when provisioned by Okta.