Okta configuration guide for ellie.ai

Prerequisites

  • Have an existing account (i.e. your organization’s own subdomain) with ellie.ai

  • Have administrator privileges on your Okta organization

  • Okta groups you want to grant a certain ellie.ai role (read, write, admin)

Supported features

  • SP-initiated SSO

  • IdP-initiated flow

  • Create users

  • Assign a role to an Okta group

  • Update user role

Procedure

Go to the Okta Integration Network catalogue and find the ellie.ai app and add it to your applications.

In the General tab, please provide your ellie.ai organization name in the subdomain field (ie https://your-organization-name.ellie.ai/ → your-organization-name).

After installing the application navigate to the Sign On tab. Here you can find the Client ID and Client secret. If you follow the OpenID Provider Metadata link you can find your issuer URI at the key issuer.

In the Assignment tab you can configure the groups that can access the application. We recommend to only assign the groups with a role to make sure every user accessing the app has a role.

Send an email to support@ellie.ai with “Okta configuration” object the following information:

  • Client ID

  • Client secret

  • Issuer URI

  • Your organization’s ellie.ai homepage URL (should look like this: https://organization.ellie.ai/)

  • Your Okta group role mapping (ie: “ellie-write” → write)

  • API token to view the group memberships of an authenticated user (guide to create an API token)

ellie.ai support will handle your request and get back to you once the integration is configured.

Group role mapping

ellie.ai has 3 different roles:

  • Read: the user can read all the models and entities

  • Write (includes all the read privileges): the user can create and edit models, entities and collections (if a model or entity is in a restricted collection, then the user will only have read permission)

  • Admin (includes all the write privileges): the user can create and edit all models, entities and collections, also they can restrict a collection to a list of editors. Admins can also change some organization settings, import and export the glossary, and manage API tokens.

You can assign an Okta group to an ellie.ai role.

If a user is a member of groups with different roles, then they will be assigned the highest role.

If a user is not a member of any groups with a role then they will not be permitted to use ellie.ai. It is very important that every user that has access to the app is a member of a group with a role.

You do not need to create the ellie.ai roles.
The roles are not configurable and limited to read, write and admin.

SP-initiated SSO

Here are the steps to follow to if you want to authenticate yourself using Okta from ellie.ai’s login page.

  1. Go to your ellie.ai login page (you may need to logout first)

  2. Click on the “Login using Okta“ button

  3. You will be redirected to your organization’s Okta login page

  4. Fill in your Okta account credentials

  5. Click on the “Sign In“ button

  6. You will then be redirected to your ellie.ai dashboard

Steps 3 to 5 may be omitted if you already have an active Okta session.