Skip to main content

Okta SSO Integration

Use Okta SSO to let your team securely sign in to Canny

Canny avatar
Written by Canny
Updated over 3 weeks ago

Overview

Use Okta to securely authenticate fellow Canny admins and end-users.

Benefits

  • Centralized authentication: Manage admin and end-user logins through Okta for consistent, secure access to Canny

  • Simplified onboarding: Automatically provision new accounts using just-in-time (JIT) authentication. No manual invites required

  • Granular access control: Assign roles to admins and restrict access for end-users to custom access boards

Requirements

The Okta Single Sign-on integration is only available on the Business Plan. If you’d like to add Okta SSO to your account, start a chat or contact our sales team at sales@canny.io!

To set up the integration, you must be an Owner in Canny and an admin in your Okta organization.

Configuration Steps

1. First you’ll need to install the Canny app within your Okta organization. In Okta, go to the Admin tab:

2. From there, go to the Applications section and click on Browse App Catalog:

3. Click Add integration to install Canny:

4. Next you’ll see the General Settings screen. Click Done to continue:

5. Now that the app is installed on Okta’s side, you can add users or groups of users that are allowed to access Canny as admins via SSO. Make sure to add yourself so you can continue setup:

6. Go to the Sign On tab and copy the Client ID and Client Secret values. These will be used in the next step:

7. Go to theOkta settings page in Canny and paste the Client ID and Client Secret copied from Okta’s Sign On settings in step 6.

You’ll also need to know your Okta Domain which may look something like mycompany.okta.com. You can enter multiple URLs, separated by commas (for example, both mycompany.okta.com and login.mycompany.com). Once you’ve filled out these fields, click Connect Okta to complete the installation process:

After setup, employees can log in to Canny from their Okta dashboard:

The user login flow with Okta:

  1. User is authenticated by Okta

  2. User is redirected to Canny, where they'll see a message asking to check their email (the email address used in Okta):

  3. Canny automatically sends an admin invite for this user to their email

  4. User accepts the admin invite via their email

  5. User is authenticated into Canny

Roles

In Canny, you can decide the admin role to assign to Canny admins after successfully authenticating via Okta.

You can set the default role to ‘User’ instead of an admin role. This allows your users to log in and access boards without granting admin permissions.

Learn more about admin roles

Force logins via Okta

For teams using Okta, you now have the option to require logins via Okta. Simply head to your Okta integration settings to turn this toggle on:

Access to custom access boards using Okta

Canny allows you to set up custom access boards and enforce access using Okta. You’ll see the option to limit access to collaborators from the the Privacy section of the Boards tab in your Canny settings:

Learn more about custom access boards

Things to note:

  • Canny supports JIT (just-in-time) authentication with Okta, meaning the first time someone authenticates into Canny with Okta, a contributor account will be provisioned, based on the selected role in the Okta settings page.

  • Users don’t explicitly need to be invited via email from the Admins page in your Canny settings. Canny will follow the email verification flow described above when their Canny account is first created via Okta.

  • Okta can be used to authenticate both fellow Canny admins who are managing feedback, as well as end-users who are only leaving their own feedback.

Related Articles:

Did this answer your question?