Sapling - Okta Integration Guide

Simplify User Sign-On

• Users can log directly into Sapling using Okta SSO, or they can launch Sapling from their Okta dashboard
• Users will be able to log in via Okta SSO or their Okta dashboard as long as their App Username in Okta and matches their Company Email in Sapling

Create Users (optional)

• When a new hire is onboarded in Sapling, they will automatically be created in Okta with their personal information and job details before they are invited to Sapling

• If a new hire is invited to Sapling immediately after onboarding, then the new hire will be created in Okta immediately (before the invite is sent out)

• If a new hire is scheduled to be invited at a later date, then the new hire will be created in Okta at that later date (before the invite is sent out)

• Once created in Okta, your IT team can proceed with their usual access provisioning processes and send user credentials to the new hire accordingly

• Check out this article for more information on onboarding new hires in Sapling

• Check out the Supported Fields section for what fields are synced from Sapling to Okta for user creation

Update User Attributes (optional)

• When a user profile is updated in Sapling, the corresponding user profile will immediately be updated in Okta

• Check out the Supported Fields section for what fields are synced from Sapling to Okta for user updates

Link Users

• As long as the integration is enabled, a daily (overnight) sync will link existing Sapling users to corresponding Okta users based on their Company Email (or Personal Email if no Company Email was provided) matching their App Username

• Check out the Before Enabling the Integration section to get the most of the initial user linking when the integration is first enabled

Sapling will only auto-create Okta accounts for new hires that are onboarded after the integration is enabled. 

As such, before enabling the integration you to need manually create Okta accounts for all your existing Sapling users (if they don't already have one). For a speedier solution, please reach out to Okta Support and ask if you're able to do so via bulk upload. 

Once the integration is enabled, existing Sapling users will be linked to corresponding Okta users via an overnight sync based on Company Email or Personal Email if no Company Email was provided. Once linked, user updates in Sapling will sync to Okta going forward (if enabled). 

Part 1: Add the Sapling (US) or Kallidus HR (UK) app in Okta to enable SSO functionality

1. From your home page, click the "Admin" button
2. Under your Admin page, navigate to Applications and click "Browse App Catalog"
3. Under the App Catalog:
   
   • For US customers (saplingapp.io): search for and select "Sapling App" (do not use "Sapling HR")
   • For UK customers (kallidus-suite.com): search for and select "Kallidus HR"
4. Once selected, click "Add Integration"
5. Under General Settings, enter your Sapling subdomain and click "Done"
6. Navigate to the Sign On page and click "More Details"
7. Copy the metadata URL, sign on URL, and signing certificate for Part 3 of the setup

Part 2: Create a token in Okta to enable user provisioning and update functionalities (optional)

1. Under Security, navigate to API
2. Under API, navigate to Tokens and click "Create Token"
3. Enter any descriptive name for your integration and click "Create Token"
4. Copy the token for Part 3 of the setup

Part 3: Enable the Okta integration and allow for SSO sign-ins in Sapling

1. Under Administration Tools, navigate to Integrations

2. Scroll down to find the Okta integration and enable the integration slider

3. Paste your Okta sign on URL (Identity Provider SSO URL),  signing certificate (SAML Certificate), metadata URL (SAML Metadata Endpoint), and token (API Key)
4. If you'd like for new hires to be created and/or user attributes to be updated in Okta, enable the appropriate sliders below
5. Once completed, click "Next" and "Activate"
6. Under Administration Tools, navigate to Platform Settings
7. Under the SSO tab, allow for users to sign in using "Password and SSO" or "SSO only" and click "Save"

Part 4: Assign the Sapling (US) or Kallidus HR (UK) app to users in Okta

1. Navigate to the Assignments page and click "Assign"
2. Click "Assign to People" to assign the app individually, or click "Assign to Groups" to assign the app in bulk
3. Search for your desired users/groups and click "Assign"
4. Once completed, click "Done"

Kallidus is continually expanding the number of fields that sync between Sapling and Okta.

• Supported fields for this integration

Please note that is not possible to exclude or custom map any of the supported fields above, or map any additional fields at this time. 

FAQs

• Will changing our company domain impact the integration?
  • For SSO, users will be able to log in as long their company emails in Sapling and Okta match up. If company emails in Okta are being updated to a new domain, they'll need to be updated in Sapling as well.
  • For user provisioning in Okta, simply use the updated domain in Sapling when specifying company emails for new hires going forward. If Default Email Format is enabled under Sapling Platform Settings, you'll need to update the domain name.
• Can two Okta instances for two different companies hook up to one Sapling instance?
  • Currently, we only support integrating with a single Okta instance
• Will offboarded users in Sapling have their Okta profiles de-provisioned?
  • Currently, we do not de-provision user accounts in Okta
• Why is it not possible to custom map any of the supported fields from Sapling to Okta?
  • When creating users in Okta, we utilize Okta's default/standard profile. Per Okta's developer documentation, default profile fields/properties cannot be customized

Unable to update Admin Users in Okta from Sapling

• Why can we not sync changes from Sapling to Okta for our Admins?

  • Admin users in Okta typically have restricted profile attributes that cannot be modified through standard syncs or app provisioning. Okta restricts certain operations for security reasons, and admins are granted elevated permissions that may limit modifications to their profiles, particularly through external applications.

    You can explore more details in Okta's documentation on user permissions.

Field Name Matching

• For the fields to sync correctly, the naming conventions must match between Sapling and Okta for both the fields names and field values (for dropdown fields)

Syncing Updates to Okta

To avoid limitations of the Okta API, we have a built-in delay (up to 2 mins) when syncing multiple updates for a user from Sapling to Okta. This ensures all updates are successfully received by Okta.

SSO Only Logins

• If you configure your Sapling environment to use SSO logins only, please note that you'll need to ensure new hires have access to their Okta accounts prior to their start date - so they can use Okta to log into Sapling and complete any onboarding documents/tasks needed before starting
• Your onboarding/auto-provisioning process when using SSO logins only should be as follows:
  1. People team onboards the new hire in Sapling and schedules their Sapling invite
  2. The user is auto-provisioned in Okta prior to their Sapling invite being sent
  3. IT team assigns only the Sapling app to the user (for now) in Okta and sends their Okta credentials
  4. User accepts their Okta invite and sets up their Okta password
  5. User accepts their Sapling invite and sets up their Sapling password
     • This is a required but redundant step 
     • You can include a section in your Sapling invite to instruct users to wait for and set up their Okta accounts first
  6. User goes through their onboarding process in Sapling
     • If they log out or time out of their initial session (from the invite), they can log back in using Okta going forward
  7. On their start date, IT team assigns any remaining apps to the user in Okta
     • You can retrieve the user's start date via our Stage Started webhook (set to preboarding)

Want to build your own custom integration? Check out the publicly available resources below:

• Sapling API

• Sapling Webhooks

• Okta API