Okta configuration guide for ellie.ai
Prerequisites
Have an existing account (i.e. your organization’s own subdomain) with ellie.ai
Have administrator privileges on your Okta organization
Okta groups you want to grant a certain ellie.ai role (read, write, admin)
Supported features
SP-initiated SSO
IdP-initiated flow
Create users
Assign a role to an Okta group
Update user role
Procedure
Go to the Okta Integration Network catalogue and find the ellie.ai app and add it to your applications.
In the General tab, please provide your ellie.ai organization name in the subdomain field (ie https://your-organization-name.ellie.ai/ → your-organization-name).
After installing the application navigate to the Sign On tab. Here you can find the Client ID and Client secret. If you follow the OpenID Provider Metadata link you can find your issuer URI at the key issuer.
In the Assignment tab you can configure the groups that can access the application. We recommend to only assign the groups with a role to make sure every user accessing the app has a role.
Send an email to support@ellie.ai with “Okta configuration” object the following information:
Client ID
Client secret
Issuer URI
Your organization’s ellie.ai homepage URL (should look like this: https://organization.ellie.ai/)
Your Okta group role mapping (ie: “ellie-write” → write)
API token to view the group memberships of an authenticated user (guide to create an API token)
ellie.ai support will handle your request and get back to you once the integration is configured.
Group role mapping
ellie.ai has 3 different roles:
Read: the user can read all the models and entities
Write (includes all the read privileges): the user can create and edit models, entities and collections (if a model or entity is in a restricted collection, then the user will only have read permission)
Admin (includes all the write privileges): the user can create and edit all models, entities and collections, also they can restrict a collection to a list of editors. Admins can also change some organization settings, import and export the glossary, and manage API tokens.
You can assign an Okta group to an ellie.ai role.
If a user is a member of groups with different roles, then they will be assigned the highest role.
If a user is not a member of any groups with a role then they will not be permitted to use ellie.ai. It is very important that every user that has access to the app is a member of a group with a role.
You do not need to create the ellie.ai roles.
The roles are not configurable and limited to read, write and admin.
SP-initiated SSO
Here are the steps to follow to if you want to authenticate yourself using Okta from ellie.ai’s login page.
Go to your ellie.ai login page (you may need to logout first)
Click on the “Login using Okta“ button
You will be redirected to your organization’s Okta login page
Fill in your Okta account credentials
Click on the “Sign In“ button
You will then be redirected to your ellie.ai dashboard
Steps 3 to 5 may be omitted if you already have an active Okta session.