Forecasts integration with Okta simplifies the login process for your users by allowing them to access Forecast with the same set of credentials they are using for other software at your organization. Enabling Single Sign On enhances the security of your Forecast account by adding an additional layer of authentication. The following steps will guide you through the process of setting up Okta for seamless access to Forecast.
If you are looking to set-up user provisioning with Okta, check out Okta Integration: User Provisioning Setup.
This article includes:
- Configuring single sign-on in Okta
- Configuring single sign-on in Forecast
- Assign users to single sign-on with Okta
- Switching authentication types
Configuring Forecast single sign-on in Okta
Sign in to Okta as an administrator and then follow the steps below.
To configure the single sign-on integration within Okta.
Go to the Profile section of Okta.
Go to Assign Applications
- Under Assign Applications, click Add Application.
- Click on Create New App on the top right.
- In the new window, select Web as platform, and OpenID Connect as sign on method, then click Create.
- Name the application Forecast and upload the picture located here: https://app.forecast.it/forecast_logo_okta.png
- Set Login redirect URIs to https://graphql.forecast.it/okta/oauth
- Click Save.
- Edit General Settings and fill in the details as listed below.
- Application label: Type "Forecast"
- Application type: Ensure it is set to "Web"
- Allow grant types: Ensure the following options are selected
- Authorization Code
- Implicit (Hybrid)
- Allow ID Token with implicit grant type
- Allow Access Token with implicit grant type
- Login redirect URIs:https://graphql.forecast.it/okta/oauth
- Login initiated by: Select "Either Okta or App"
- Application visibility: Select "Display application icon to users"
- Login Flow: Select "Redirect to app to initiate login (OIDC Compliant)"
- Initiate login URIs: https://app.forecast.it/okta-login
- Click Save.
- Copy and save the “Client ID” and “Client secret” provided by Okta. These will be required in the setup within Forecast later on.
This will finalize the process in Okta and you can now move on with configuring single sign-on in Forecast.
Configuring Single Sign-on in Forecast
When the Forecast for Okta setup is complete and the information to setup Okta in Forecast are saved, sign in to your Forecast account as an administrator and configure the Okta integration from the Admin panel. You'll need the Okta account URL, the Application client-id, and the Application client secret from Okta to complete your set up.
It is also possible to require single sign-on in the authentication process, meaning that users will no longer be able to use their Forecast email and password to login. Note that any guest client users invited to Forecast are automatically exempt from this requirement and can use their email and password to access.
To configure Okta single sign-on in Forecast
- Click Admin in the top bar.
- Select Integrations from the dropdown.
- Scroll to the Security & single sign-on (SSO) section of the page and select Okta.
- Under Require SSO, enable the toggle to make single-sign on mandatory, in order to require login via Okta and disable logging in via email and password. We recommend selecting at least one Admin user in case any issue arises with the single sign-on provider, so that the exempted user can access and disable the Single Sign on requirement for the rest of the users.
- Fill in your “Okta account URL”, “Application client-id” and “Application client secret”.
- Click Save to finalize the process.
The Okta for Forecast single sign-on setup is now completed.
Assign users to Forecast single sign-on with Okta
Once the configuration is done you can begin assigning users to the Forecast app to login via single sign-on through Okta. In order for users to login, please ensure that the individuals email addresses in Forecast match the ones registered in Okta.
To assign users to single sign-on in Okta
- In the Okta Admin panel, head to Directory > People.
- Click Add person.
- Select a user type in the User type list or accept the default.
- Complete these fields:
- First name: Enter the user's first name.
- Last name: Enter the user's last name.
- Username: Enter the user's user name in email format.
- Primary email: Enter the user's primary email if it's different from their username.
- Secondary email (optional): Enter a secondary email to allow the user to access information when their primary email is unavailable.
- Groups (optional): Enter the groups to which the user belongs.
- Password: Select Set by user to allow the user to set their password, or select Set by admin and enter a password.
- Send user activation now (optional): This check box is available when Set by user is selected as the password option. Select this check box to send a user activation email to the user.
- User must change password on first login (optional): This check box is selected by default when you select Set by admin as the password option.
Clear this check box if you do not want the user to change their password when they first sign in.
- Click Save or click Save and Add Another to add another user.
Once this is done and the emails of the users match on both platforms, the users will have to log into Forecast by using the Okta option on the Forecast log-in page.
Switching authentication types
If a user is not included in the Okta database to login via Single Sign-On and single sign-on isn't required in Forecast, the user will still be able to log into Forecast with their regular Forecast email and password.
If you are looking to switch to another single sign-on provider, contact Forecast Support to disable the existing SSO integration to avoid system conflicts.