Important notice

There are 2 ways of integrating Okta with Ellie.ai

• Using manual okta integration (recommended), use this guide

• Using the Okta Integration Network catalogue, see the steps bellow

Prerequisites

• Have an existing account (i.e. your organization’s own subdomain) with ellie.ai

• Have administrator privileges on your Okta organization

• Okta groups you want to grant a certain ellie.ai role (read, write, admin)

Supported features

• SP-initiated SSO

• IdP-initiated flow

• Create users

• Assign a role to an Okta group

• Update user role

Procedure

Go to the Okta Integration Network catalogue and find the ellie.ai app and add it to your applications.

After installing the application navigate to the Sign On tab. Here you can find the Client ID and Client secret. If you follow the OpenID Provider Metadata link you can find your issuer URI at the key issuer.

In the Assignment tab you can configure the groups that can access the application. We recommend to only assign the groups with a role to make sure every user accessing the app has a role.

To configure your Okta SSO configuration login to your Ellie environment as an Admin user and go to Admin Tools → Metadata & SSO → Turn Okta On, to start the Okta Setup. See the example bellow:

Open

For your “Okta configuration” you’ll need the following information:

• Client ID

• Client secret

• Issuer URI

• Your Okta group role mapping (ie: “ellie-write” → write)

• API token to view the group memberships of an authenticated user (guide to create an API token)

If you have any questions or need help, reach out to support@ellie.ai.

Group role mapping

ellie.ai has 4 different roles:

• Read: the user can read all the models and entities

• Contributor: the user can read all the models and entities in organization folder and it’s subfolders. Can copy assets to personal folder, and make changes and create new assets in the personal folder. The user can then share their assets to Admin or Write user for review.

• Write (includes all the read privileges): the user can create and edit models, entities and collections (if a model or entity is in a restricted collection, then the user will only have read permission)

• Admin (includes all the write privileges): the user can create and edit all models, entities and collections, also they can restrict a collection to a list of editors. Admins can also change some organization settings, import and export the glossary, and manage API tokens.

You can assign an Okta group to an ellie.ai role.

If a user is a member of groups with different roles, then they will be assigned the highest role.

If a user is not a member of any groups with a role then they will not be permitted to use ellie.ai. It is very important that every user that has access to the app is a member of a group with a role.

Open

You do not need to create the ellie.ai roles.
The roles are not configurable and limited to read, contributor, write and admin.

SP-initiated SSO

Here are the steps to follow to if you want to authenticate yourself using Okta from ellie.ai’s login page.

1. Go to your ellie.ai login page (you may need to logout first)

2. Click on the “Login using Okta“ button

3. You will be redirected to your organization’s Okta login page

4. Fill in your Okta account credentials

5. Click on the “Sign In“ button

6. You will then be redirected to your ellie.ai dashboard

Steps 3 to 5 may be omitted if you already have an active Okta session.