Natero has integrations with four single sign-on (SSO) solutions: Google, Salesforce, Microsoft Dynamics, and Okta. Please see below for instructions on how to set up the integration. 


 


Screen_Shot_2019-03-18_at_3.55.47_PM.png


 


Google


No setup required. It should work as long as your Google email address matches the email address associated with your Natero account.


Salesforce


No setup required. It should work as long as your email address associated with your Salesforce account matches the email address associated with your Natero account.


Microsoft Azure


The Natero SSO app uses OpenID Connect with the scope of: profile, openid, and email


  • Goto: Active Directory -> App registrations
  • Select + New application registration
  • Enter a name (e.g., Natero OAuth)
  • Under Application type select: Access Web APIs in Other Applications
  • Under Sign-on URL enter your domain in Natero (or just for US: https://login.natero.com, EU: https://login-eu.natero.com)
  • Copy the application ID (you'll need to provide it to us)
  • Click 'Settings'
  • Under 'Required permissions'
    • Select application: Windows Azure Active Directory
    • Click Delegated Permissions dropdown and select:
    • Sign in and read user profile (User.Read)
    • Read all users's basic profile (User.ReadBasic.All)
  • Under 'Keys', enter a name and select duration 1 or 2 year (will display a key to copy after saving)
    • When saving the key copy the value displayed, this is the client secret for the app
  • Under 'Reply Urls' fill in:
  • It may also be necessary to add following to the Manifest under optionalClaims:


 "optionalClaims": {
    "idToken": [
      {
        "name": "email",
        "source": null,
        "essential": true,
        "additionalProperties": []
      }
      {
        "name": "email",
        "source": null,
        "essential": true,
        "additionalProperties": []
      }
    ]
  }



 Click Save - make sure you've copied the key and the application id and provide them to Natero 


Okta 



Create an application in your Okta instance and provide Natero with:


  • client ID
  • client secret
  • authorization server url (for the /authorize and /token endpoints)

Natero uses the email address to match a user from Okta to a user within Natero.

  • We can obtain the user from either:
    • The JWT token as a claim in either: 'sub', 'email' or 'Email' fields
    • Or from a call to the /userinfo endpoint again in the 'email' or 'Email' fields

If you would like us to test out your Okta integration, we require a test user and password that can be used to authenticate against your authorization server after you've set up the application in Okta and have provided us the other necessary information.


Here are two example screenshots to show how we set up an app in Okta in our developer account:


natero_sso_okta_1__1___1_.png


 


natero_sso_okta_2__1___1_.png