Okta + Oncall Scheduler configuration guide
The Oncall Scheduler works with Okta authentication using the OpenId Connect (OIDC) protocol. You don't see an 'Okta' logon button on the homepage because Okta does not offer a single URL where any user from any Okta tenant can authenticate. To start using Okta authentication, you need to first add the Oncall Scheduler application to your Okta tenant. You do this through the Okta admin user experience. Oncall Scheduler is available as an Okta Integration Network (OIN) application. After you add the Oncall Scheduler there, you will get 3 pieces of configuration data from that OIN application, which need to be entered in the Oncall Scheduler tenant configuration: The Authority URL for your Okta tenant is where your users will get redirected to authenticate when they try to access the Oncall Scheduler. The ClientId is an identifier for the Oncall Scheduler app registration in your Okta tenant. The ClientSecret is a secret which the Oncall Scheduler will use to identify itself to your Okta tenant, so it will be allowed to ask for authentication of your users.
Once you configure Okta authentication for your Oncall Scheduler tenant, your users will not be able to authenticate in any other way to the Oncall Scheduler.
Supported features
- Single Sign-On (OpenID Connect). Both "IdP-initiated" by clicking a link to Oncall Scheduler in the Okta OIN user experience, and "SP-initiated" by clicking a link in an Oncall Scheduler email or user experience.
- Single Sign-Out. When a user clicks "SP-initiated" sign-out in Oncall Scheduler, the user is also logged out of their log-in session with Okta.
- Automatically creates an Oncall Scheduler tenant for your organization the first user from your organization logs on
Requirements
- Be an administrator in your Okta tenant
- Install the Oncall Scheduler application in your Okta tenant through the OIN user experience
- Be an administrator in your Oncall Scheduler tenant
- Okta authentication is only available with the Oncall Scheduler Enterprise pricing plan
Configuration steps
In Okta
- Copy the unique part of your Okta domain, or Authority URL. This is part of the URL you use to administer your Okta tenant. E.g. it's the "contoso" part of https://contoso.okta.com
- In the Okta OIN page, click on the Oncall Scheduler application and then navigate to the Sign On tab
- Copy the values of Client ID and Client secret (click the eye button to make them visible)
In Oncall Scheduler
- In the Oncall Scheduler start page which lists all rotations, click on the 'tenant settings' gear icon in the top left.
- Click the Okta Authentication section to expand it.
- Enter the unique portion of your Okta domain (or "Authority URL"), Cliend Id, and Client Secret into the 3 fields
- Press Save. You'll be immediately logged out, and you'll only be able to log in again through Okta.
Authenticating
Your users can now open the Oncall Scheduler with Okta authentication
- Through the link in the Okta application list
- Through links in Oncall Scheduler emails and meeting invites
- You can create custom links for this, to put anywhere, by replacing the 'contoso.okta' string in this URL: https://oncallscheduler.com/login/okta?iss=https%3A%2F%2Fcontoso.okta.com
- If their email address domain is the same as the email address domain used to create the Oncall Scheduler tenant, they will be led to Okta authentication if they try to log in to the Oncall Scheduler using any other authentication method (e.g. Google, Microsoft, or Email). If their email address domain is different, logging on to the Oncall Scheduler without Okta will cause a new Oncall Scheduler tenant to be created for that different domain.