<span id="top"></span>

Configuring Okta SSO

This guide outlines the steps to configure Single Sign-On (SSO) with Okta for Qualified. Follow these instructions to streamline authentication for your users and enhance security.

• Prerequisites
• Steps to Configure Okta SSO
• Enable SCIM Provisioning (Optional)
• Binding Email Process for Existing Users
• Adding New Users
• Disconnecting SSO

<span id="prerequisites"></span>

Prerequisites

1. Access to the Okta Admin Console and have super admin access. 
2. Access to Qualified’s Enterprise Single Sign-on and the Admin user role.
3. Your organization’s Company ID from Qualified.
4. A basic understanding of SAML 2.0 configuration.

Back to Top

<span id="steps-to-configure"></span>

Steps to Configure Okta SSO

Step 1: Set up in Qualified

1. Log in to your Qualified Admin account.
2. Navigate to Settings → Organization → Single Sign-On.
3. Select Okta (SAML 2.0) from the dropdown menu.
4. Copy your Company ID.

Step 2: Configure in Okta

1. Log in to the Okta Admin Console.
2. Go to Applications → Applications, and click Add Application 
3. Search for the Qualified app (not Qualified.io) and click Add Integration
4. Keep the default application label, or customize it, and click Done.
5. Within the application, click on the Sign On tab, and then click Edit.
6. Scroll down to the ADVANCED SIGN-ON SETTINGS section and paste in the Company ID that you copied from Qualified, and click on Save 

7. Then, scroll back up to copy the Metadata URL. 

Okta Documentation: Add existing app integrations

Step 3: Finalize SSO in Qualified

1. Return to Settings → Organization → Single Sign-On in Qualified.
2. Paste the Identity Provider metadata link from Okta into the required field.
3. Click Save and then Verify Configuration to test the connection.
4. Before enabling single sign-on, make sure to assign all existing Qualified users access to the Qualified application in Okta (including yourself) as they will no longer be able to access Qualified with their password once SSO is enabled.
   • Existing users will receive an email to bind their accounts: Binding Email Process for Existing Users
5. When you’re ready, click Enable single sign-on for this org.

Back to Top

<span id="enable-scim-provisioning"></span>

Enable SCIM Provisioning (Optional)

SCIM provisioning in Okta automates user management tasks such as creating, updating, and deactivating users in Qualified. 

Supported Provisioning Features

The following provisioning features are supported within Qualified provisioning of SSO users:

• Push New Users: New users created through Okta will also be created in Qualified.
  • When a user is provisioned, their name, role, phone number, email, and timezone from Okta are synced to Qualified. Further updates are limited to email and role changes only.
• Push Profile Updates: Updates made to a user's email or role in Okta are pushed to Qualified.
• Push User Deactivation: Deactivating a user or disabling their access to the Qualified application in Okta will deactivate the user in Qualified.
  • Deactivation removes login access but retains the user's information in Qualified as inactive.
• Reactivate Users: User accounts can be reactivated in Qualified via Okta.

Unsupported Provisioning Features

The following features are not supported:

• Import Users
• Import/Push Groups
• Sync Password
• Profile Sourcing

Steps to Enable SCIM Provisioning

Step 1: In Qualified

1. Go to Settings → Organization → Single Sign-On.
2. Toggle on SCIM Enabled to enable SCIM provisioning.
3. Copy the SCIM OAuth Bearer Token displayed on the screen.

Step 2: In Okta

1. Log in to your Okta Admin console.
2. Go to the Applications section and open the Qualified application.
3. Click the Provisioning tab, then click Configure API integration

4. Enable the API Integration checkbox
   • Paste the Bearer Token from Qualified into the OAuth Bearer Token field.
   • Click Test API Credentials to verify the connection.
   • Click Save.

5. Enable provisioning actions
   • Under the Provisioning tab, click To App and then Edit.
   • Check the boxes to enable:
     • Create Users
     • Update User Attributes
     • Deactivate Users

6. Configure “Meetings” user role (By default, “Admin” and “Rep” roles will be included in the attribute mappings.)
   • Also, under the To App, scroll down to Attribute Mappings section.
   • Click Go to Profile Editor.
   • Click the Pencil Icon next to "Qualified Role" to open up an editing modal

• Then, click + Add Another under the "Attribute members" section and add “Meetings” as a Display Name and “meetings” as the value (case-sensitive). 

• Click Save Attribute.

Okta Documentation: Add SCIM provisioning to app integrations

Testing and Verification

1. Add a test user in Okta:
   • Assign the user one of the roles (e.g., Qualified Admin, Qualified Rep).
   • Verify the user is created in Qualified with the correct attributes and role.
2. Update the test user's attributes (e.g., role or email) in Okta:
   • Confirm the changes sync correctly in Qualified.
3. Deactivate the test user in Okta:
   • Ensure the user’s access is removed in Qualified while their profile remains inactive.

Back to Top

<span id="binding-email-process"></span>

Binding Email Process for Existing Users

After enabling SSO, all existing Qualified users receive an email from app@qualified.com with a unique binding link.

Users must click the link within 72 hours to bind their Qualified account to their Okta Account. If the binding link expires, an admin can resend it from Qualified by going to Settings → Organization → Users.

Back to Top

<span id="adding-new-users"></span>

Adding New Users

With SCIM Provisioning Enabled

An Okta Admin, will need to assign the user to the Qualified app with the appropriate Qualified Role attribute: Admin, Rep, or Meetings. 

Okta Documentation: Assign app integrations

Without SCIM Provisioning

If your company does not have SCIM Provisioning enabled, then you’ll follow the steps below to add new users to Qualified: 

1. Assign Users in Okta: an Okta admin will need to assign the user to the Qualified application in Okta: Assign app integrations
2. ‍Invite Users in Qualified: Invite users from Settings → Organization → Users in Qualified: Provisioning Users in Qualified‍
3. User Accepts Invite: Invited users will receive an email with a button to link their account and access Qualified. 

Back to Top

<span id="disconnecting-sso"></span>

Disconnecting SSO

If you'd like to disconnect your company’s SSO, you can do so at any time.

1. Go to Settings → Organization → Single Sign-On 
2. Click Disable SSO for this team. 
3. Users will receive an email to create a new password and log in using their email addresses.

Back to Top