Prerequisites

  • An Okta account with Admin privileges.
  • Each user must be invited to courier via email before they can log in with Okta.
  • Some of these steps require information to be received from and sent to courier. Before continuing, contact Courier support and ask for assistance in setting up Okta Sign in.

Create the App Integration in Okta

  1. Navigate to the Applications > Applications section of the Okta admin panel
  2. Hit the “Create App Integration Button”:

Create App Integration button

  1. Select SAML 2.0 and hit “Next”

Select Sign-in Method

  1. Enter Courier as the app name and optionally provide the Courier logo (available after the screenshot) then click “Next”

App Name & Logo

DOWNLOAD COURIER LOGO


Download PNG
  1. Contact Courier support for a Single sign on URL and an Audience URI. Enter them in their respective fields under SAML settings.

SSO URL and Audience URI fields

  1. In the Attribute Statements section, enter the following information:
NameName FormatValue
idUnspecifieduser.id
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressUnspecifieduser.email

Okta attribute statements

  1. Hit the “Next” button towards the bottom of the page
  2. Under the “Application Feedback” section, select “I’m an Okta customer adding an internal app” and hit “Finish”:

Okta feedback form

  1. From the “Sign On” tab of the new Courier application integration, find the Metadata URL. Copy the link address and send it to the Courier support team member

Okta Metadata URL

That’s all thats needed to allow sign in with Okta. Be sure to assign users using the Assignments tab of Courier App Integration.

Creating a Courier Bookmark App

Bookmark apps are used to direct users to a specific web page using Okta applications. Below is a step-by-step process to create a Courier bookmark app within the Okta Admin Panel.

INFO

Before you can create a bookmark, you will need a bookmark URL from Courier for IdP initiated SSO to work. Please contact Support to get set up with the bookmark URL.

Steps

  1. Make sure you’re logged-in to the Okta admin panel as an Admin.
  2. Expand the Applications drop-down in the left pane, then click Applications.
  3. Click Browse App Catalog.
  4. Search for Bookmark App, select it from the list of results, and click Add in the left pane.
  5. Choose an app name, in this example Courier Login, which will be the display name.
  6. Copy the URL supplied by Courier Support directly to into the URL box:

Okta Bookmark App Settings

  1. Click Save.
  2. Assign to users to test.

Migrating Users To Okta

  1. From the Settings > Security page, confirm that “Require Google SSO” is not checked

Google SSO Setup

  1. From the Settings > Team page in Courier, remove and then re-invite users who should sign in with Okta

After the invites are sent

To accept an Okta invitation users should follow these steps:

  1. Sign out of Courier
  2. Click the “join” button from the email invite
  3. Enter your work email (the email address your invite was sent to)
  4. Hit continue

INFO

Users with Okta logins to Courier MUST use the email login process.

Email Login Process

User Provisioning with Okta SCIM v2

  1. Contact Courier support for a SCIM endpoint URL and bearer token
  2. Navigate to the Courier App from the Okta admin panel
  3. Navigate to the provisioning tab and click “Edit”
  1. Enter the URL provided by Courier into the “SCIM connector base URL”
  2. Enter userName into the “Unique identifier field for users”
  3. Check “Push New Users” and “Push Profile Updates” for the “Supported provisioning actions”
  4. For “Authentication Mode” select HTTP Header
  5. Enter the Bearer token provided by Courier
  1. Hit “Save”
  2. After 30 seconds the provisioning tab should have a “To App” section on the left. If it doesn’t, try refreshing the page. Once it appears select it and hit the “Edit” button
  3. Check the “Create Users”, “Update User Attributes”, and “Deactivate Users” features and hit save
  1. Using the side menu navigate to Directory > Profile Editor and hit the edit profile button of the Courier App
  1. Hit the “Add Attribute” button
  1. Enter the following values:
    • Data type: string
    • Display name: Role
    • Variable name: role
    • External name: role
    • External namespace: urn:ietf:params:scim:schemas:core:2.0:User
    • Description: Courier Role
  1. Check the “Define enumerated list of values” checkbox and enter the following values:
  • Display Name: Admin, Value: ADMINISTRATOR
  • Display Name: Manager, Value: MANAGER
  • Display Name: Developer, Value: DEVELOPER
  • Display Name: Designer, Value: DESIGNER
  • Display Name: Support, Value: SUPPORT_SPECIALIST
  • Display Name: Analyst, Value: ANALYST
  1. Check the “Attribute required” checkbox and hit “save”

INFO If users were already assigned to the Courier app before provisioning was setup, you will need to edit their assignment and update their role.

Finalizing User Provisioning

  • Changes to user assignments in the Courier Okta app will automatically be reflected in the Courier Workspace.
  • Users will receive an invite via email to Courier when added.
  • Users are automatically removed from the Courier Workspace when no longer assigned in Okta.
Removing the Courier WatermarkOutbound Webhooks