Configuring OpenID Connect with Okta

Follow this guide to use OpenID Connect with Okta to connect to Mursion

Supported Features

The Mursion and Okta OpenID Connect integration currently support the following features:

• SP-initiated SSO
• IdP-initiated SSO
• JIT (Just In Time) Provisioning

Configuration Steps

Create SSO Configuration in Mursion Portal

1. Sign in to Mursion Portal
2. Select Settings on the top menu then select the SSO sub-tab.
3. Click Create SSO Configuration.
4. Please review this note about Claim fields, then, in the New SSO Configuration dialog, enter the following:
   1. Protocol: Select OAuth 2.0.
   2. Configuration Name: Enter a descriptive name of your choice.
   3. Authorization Endpoint: Enter the following URL, replacing ${yourOktaDomain}with your Okta domain -  https://${yourOktaDomain}/oauth2/v1/authorize
   4. Logout Endpoint: Enter the following URL, replacing ${yourOktaDomain}with your Okta domain - https://${yourOktaDomain}/login/signout.
   5. Client ID: Copy the Client ID of the Okta OpenID Connection application and paste into this field.
   6. Client Secret: Copy the Client secret of the Okta OpenID Connection application and paste into this field.
   7. Scope: Leave the default scopes of openid profile email.
   8. User Info Endpoint: Enter the following URL, replacing ${yourOktaDomain}with your Okta domain -  https://${yourOktaDomain}/oauth2/v1/userinfo
   9. Token Endpoint: Enter the following URL, replacing ${yourOktaDomain}with your Okta domain -  https://${yourOktaDomain}/oauth2/v1/token
   10. Token HTTP Method: Leave POST selected.
   11. User ID Claim Name: Enter sub.
   12. Email Claim Name: Enter email.
   13. First Name Claim Name: Enter given_name.
   14. Last Name Claim Name: Enter family_name.
   15. Single Logout Enabled: Check this option to initiate a request to end the Okta user’s session when the user’s Mursion Portal session ends due to explicit logout or session timeout. 
   16. Team Claim Name: Optionally, to externally manage team assignment through a SAML user attribute, specify the name of the attribute that contains the value that should be used to assign users to a Mursion Portal team.
   17. Team Mapping: If a Team Clain Name is specified, click the Add + button to add a mapping. Select a Mursion Portal team from the Team dropdown. Enter the value of the attribute that should be mapped to the Portal team. To remove a mapping, click the x on the right of the mapping.
       
       
5. Click Create SSO Configuration.
6. Click the newly created SSO Configuration.
7. On the Edit SSO Configuration dialog, copy the SSO Configuration’s ID by selecting the ID field value and copying it. Save the ID to be entered in Okta in a subsequent step.

Add Mursion App Integration in Okta

1. In Okta, browse the App Integration Catalog and search for Mursion.
2. Click the Add button on the Mursion application details page.
3. Click the Next button on the General Settings step.
4. In the Sign-On Options section, select OpenID Connect.
5. In the Advanced Sign-on Settings section:
   1. Environment: Leave Production selected
      1. Note: The Mursion OIDC app integration can only be configured for the Production environment.
   2. SSO Configuration ID: Enter or paste the SSO Configuration ID that was copied from Mursion Portal.
6. Click Done

Testing Mursion Portal SSO

1. Assign one or more test users to the Mursion application in Azure AD.
2. As one of the test users, click on the Mursion application to initiate SSO. 
3. If the configuration is correct, the user will be signed in to Mursion Portal and taken through the following flow: 
   1. the Mursion & User agreement will be displayed for the user to accept
   2. the user profile will be displayed for the user to confirm their profile and timezone
   3. the Calendar page will be displayed