Docs Index

Okta

Last updated on Available in French

ℹ️ As part of CoderPad’s rebranding effort, CodinGame Screen is now just Screen. We’re still working to update the documentation, until then you may still see references to “CodinGame” when setting this up.

This document describes the steps required to activate SSO on your Screen account using the SAML protocol with Okta.

SSO can also be combined with User Provisioning through the SCIM protocol.

Prerequisites for activating SSO on your Screen account:

  • You must have admin rights for your Screen account.
  • You must have identified the proper person at your end who will be able to implement the required configuration changes on your Okta account, i.e. your system administrator.

Important considerations:

  • Account-wide failure to login may occur for your users during the configuration process. Reversing the SSO activation on the account can be done at any time if the configuration fails.
  • At any time, even when the SSO configuration is active, it is possible for an admin to log into the account using email and password credentials by using one of the following URLs:
  • You may want to test drive the integration on a test Screen account first. In that case, contact your account manager to set up this test account.

To activate the SSO configuration on your Screen account:

  1. Open a ticket with the CoderPad support team asking for SSO activation and User Provisioning.
  2. The support team will send you back four URL parameters related to SSO:
    • SP Entity ID
    • SP Assertion Consumer URL
    • SP Metadata URL
    • SP Logout URL
  3. And two parameters related to user provisioning:
    • SCIM Base URL
    • SCIM Secret Token

You’ll then need to complete the following steps:

  1. Configure the integration
  2. Add user provisioning

Configuring the integration

1. Log on to the Okta Admin interface

Okta "My apps" tab on left nav selected and an arrow pointing to the "Admin" button.

2. In the menu select Applications > Applications:

The "Applications" item in the left nav is highlighted and there is an arrow pointing to the hamburger menu item next to the "okta" logo.

3. Select Create App Integration and then select SAML 2.0. Click Next to proceed:

Arrow pointing to the "create app integration" button in the top right of the window.
"Create a new app integration" page with the "SAML 2.0" option highlighted and selected.

4. Add these general settings:

  • Configure SAML:
    • Single sign on URL = SP Assertion Consumer URL (from the CoderPad support team)
    • Audience URI (SP Entity ID) = SP Entity ID (from the CoderPad support team)
    • Use this for Recipient URL and Destination URL = checked
    • Name ID format = Unspecified
    • Application username = Email
    • Add an attribute statement:
      • Name = User.Email
      • Value = user.email
  • Validate the last step

5. Configure Screen to work with Okta:

  • In the Sign On tab of the Application, click View Setup Instructions:
Codingame configuration screen with an arrow pointing to the "sign on" tab.
Sign on methods screen with an arrow pointing to the "view setup instructions" button.

6. Send back the following parameters to the CoderPad support team:

  • Identity Provider Single Sign-On URL
  • Identity Provider Issuer
  • X.509 Certificate (download as file)

9. Navigate to the Assignments tab. Select Assign > Assign to People or Assign to Groups, and add a test user who is also registered in Screen.

Codingame configuration screen with an arrow pointing to the "assignments" tab.
The assignments tab is opened. The "assign" drop down is open with "assign to people" and "assign to groups" options shown.

 

10. Contact CoderPad support to organize a go-live meeting between one of our engineers and your system admin. During the live video meeting, CoderPad will activate SSO on your account and you will check that a test user can connect through SSO. Any final adjustments can be made during this call.

Adding User Provisioning

Once SSO has been activated, User Provisioning can be turned on using the SCIM protocol:

  1. In Okta, select the CodinGame application then General > App Settings > Edit.
Codingame configuration screen with an arrow pointing to the "general" tab. The "edit" button in the top right of the app settings section is highlighted.

2. Then under Provisioning select SCIM and click Save.

In the provisioning section the "SCIM" option is selected and highlighted.

3. From the new Provisioning tab, click on Edit in the SCIM Connection section.

Codingame configuration screen with an arrow pointing to the "provisioning" tab. In the SCIM connection section the "edit" button is highlighted.

4. Enter in the following configurations:

  • SCIM connector base URL = SCIM Base URL (from the CoderPad support team)
  • Unique identifier field for users = email
  • Supported provisioning actions = Select all the options
  • Authentication Mode = HTTP Header
  • Bearer Token (HTTP Header > Authorization > Bearer Token) = SCIM Secret Token **(from the CoderPad support team)

The Test Connector Configuration action should be successful at this point.

5. Edit the provisioning. Navigate to Provisioning > Settings > To App and select Edit:

Codingame configuration screen with an arrow pointing to the "provisioning" tab. in the left nav the "to app" option is highlighted.

6. Check Create Users, Update User Attributes, Deactivate Users.

7. Click Save.

8. Go to the Push Groups tab of the App

Codingame configuration screen with an arrow pointing to the "Push groups" tab.

9. Click Push groups >Find groups by name

In the push groups dropdown menu there is an arrow pointing to the "find groups by name" option.

✅It is recommended to select all groups assigned to the Okta App

10. Click Save.

11. Send a final request to CoderPad support specifying the Screen permissions you want for each group attached to the Okta App. This could be done during the live video meeting as well to speed-up the process.

12. From now on users added to your groups will be automatically created in Screen with the proper set of permissions.