Forum Discussion

miroslav's avatar
miroslav
Helper
9 years ago

Anybody have success integrating with Okta for SSO across multiple subsystems?

Hi folks,

 

We're looking to integrate Lithium with a few other systems using single sign-on. We'd like users to register with Lithium, and then automatically have access to the related systems via the SSO provider. All systems support SAML 2.0 for authentication. We're considering Okta and a few other cloud-based identity services, plus self-hosted solutions via Windows or Gluu.

 

Has anybody successfully implemented something similar, especially with Okta? More generally, how do you handle the registration flow so that users create their account once and be able to access everything? How do users manage their info in that SSO directory (email, password change/reset, name changes, etc.)?

 

Thanks and take care,

Miroslav

 

  • DougS's avatar
    DougS
    Khoros Oracle
    9 years ago

    I’m not aware of anyone else doing this, but you might want to reach out to our Professional Services group to see if this is something that has been done before.

     

    I’d like to hear more about your use-case (what systems you are trying to integrate with) if you’d be open to sharing it.

     

    -Doug

    • miroslav's avatar
      miroslav
      Helper
      9 years ago

      Hi Doug,

       

      Thanks for the response! We're trying to set up a unified community environment that includes Lithium for discussions, MindTouch for docs, and our own solution as a public demo. We'd prefer not to burden our community members with three separate logins to interact with various aspects of the environment. All three components support SAML 2.0, and we have customers using Okta for their SSO authentication. The stumbling point is around user creation: even if the SSO can authenticate that login and password matches, if there isn't an account for that user in the application database then the user can't log in. One component that seems important for generalized is Just-in-Time Provisioning for SAML, and I can't find info around that for Lithium. Both MindTouch and our application support automatically creating new user accounts if the SSO authentication is accepted. The Okta engineers mentioned that they aren't sure how to do the Lithium integration without custom coding to the Lithium API because Lithium doesn't have an Okta integration plugin.  

       

      Our situation seems like something that would be a relatively common use case these days given the proliferation of cloud-based solutions. We're still relatively early in our go-live process but on an accelerated schedule. We've asked for a technical contact at Lithium who could help us better understand the capabilities and limitations, but haven't had those conversations just yet. The API looks relatively simple, but it's always the corner-cases that make custom code complicated :-) 

       

      Any additional insight you could shed on the situations and our options?

       

      Thanks again and take care,

      Miroslav