Okta Authentication
Okta authentication allows you to have single-sign-on (SSO) using the Okta SAML 2.0 identity provider.
The first step to setting up SSO with Okta is to create a new application icon in Okta named Pacific Timesheet. Search the catalog for Pacific Timesheet and use that to create the new application. Make sure you enter your subdomain, e.g. "xyz". This comes from your Pacific Timesheet application URL, e.g. https://xyz.pacifictimesheet.com.
Troubleshooting Note: Make sure "Request Compression" is set to "Compressed" in your Okta SAML configuration. Pacific Timesheet expects the SAML data to be compressed. |
Once you have created the Pacific Timesheet application icon in Okta you must then configure the security settings in Pacific Timesheet. First, find the values you need to enter into Pacific Timesheet by going to the Okta Admin > Applications page. Locate and click the Pacific Timesheet application you created above, then go to the Sign On panel. Click the View Setup Instructions and enter the following information into Pacific Timesheet on the System > Security page:
Property |
Description |
Name |
This is the name used in the login button on the Pacific Timesheet login page. |
Identity Provider SSO URL |
The value from Okta, for example: https://xyz.okta.com/app/xyz/exk3ycblt53P0Gcry0h7 |
Identity Provider Issuer |
The value from Okta, for example: https://www.okta.com/exk3ycblt53P0Gcry0h7 |
Certificate |
The Okta X.509 security certificate. You can specify both a primary certificate, and optionally a secondary certificate. When a login request is authenticated the primary certificate is used first, and if that fails then the secondary certificate will be used. You would typically provide a secondary certificate a few days or weeks before the primary one expires to ensure there is no loss of access to the application when the primary certificate expires. Once the primary certificate is fully expired you can replace it with the secondary certificate at your earliest convenience, then clear the secondary certificate field. Note that the X.509 certificate should be in PEM format, meaning it should start with the header line -----BEGIN CERTIFICATE----- and end with the footer line -----END CERTIFICATE----- |
Logging |
Check this option to help troubleshoot authentication failures. Errors are logged to the System Event Log, and can be view with the Reports > System Event Log report. For self-hosted systems you can also view detailed information in the log files located in the <PacificTimesheet>/tomcat/logs directory. |
When you use an identity provider to connect to Pacific Timesheet, you will need a corresponding employee account in Pacific Timesheet. The identity provider's account information (be it email address, login, etc.) will be used to find a corresponding Pacific Timesheet account. The match will be made against the Pacific Timesheet account's login name, employee ID or email address, in that order.
Note: Even if SSO is enabled you can allow some employees to log in using Pacific Timesheet's standard authentication (user name and password). On the login page the employee can choose either to log in with the standard user name and password, or use the configured identity provider's SSO option. This allows you to have Pacific Timesheet accounts that do not use the configured identity provider, such as the 'admin' account, or client approver accounts, still able to log in with a user name and password. |