The Kallidus Sapling platform helps HR and People Operations teams automate and streamline administrative tasks so they can focus on employee experience, retention, and creating an amazing culture for the most successful teams.
Okta allows you to provide secure identity management and single sign-on to any application, whether in the cloud, on-premises, or on a mobile device for your employees, partners, and customers.
With the Okta integration, Sapling will:
- Simplify User Sign-On: Users can log directly into Sapling using Okta SSO, or they can launch Sapling from their Okta dashboard
Create Users (optional): When a new hire is onboarded in Sapling, they will automatically be created in Okta
Update User Attributes (optional): When a user profile is updated in Sapling, the corresponding user profile will be updated in Okta
- Link Users: Existing Sapling users will be linked to corresponding users in Okta
How it Works
Simplify User Sign-On
- Users can log directly into Sapling using Okta SSO, or they can launch Sapling from their Okta dashboard
- Users will be able to log in via Okta SSO or their Okta dashboard as long as their user emails in Okta and Sapling match
Create Users (optional)
When a new hire is onboarded in Sapling, they will automatically be created in Okta with their personal information and job details before they are invited to Sapling
If a new hire is invited to Sapling immediately after onboarding, then the new hire will be created in Okta immediately (before the invite is sent out)
If a new hire is scheduled to be invited at a later date, then the new hire will be created in Okta at that later date (before the invite is sent out)
- Once created in Okta, your IT team can proceed with their usual access provisioning processes and send user credentials to the new hire accordingly
Check out this article for more information on onboarding new hires in Sapling
Check out the Supported Fields section for what fields are synced from Sapling to Okta for user creation
Update User Attributes (optional)
When a user profile is updated in Sapling, the corresponding user profile will immediately be updated in Okta
- Check out the Supported Fields section for what fields are synced from Sapling to Okta for user updates
As long as the integration is enabled, a daily (overnight) sync will link existing Sapling users to corresponding Okta users based on Company Email (or Personal Email if no Company Email was provided)
Check out the Before Enabling the Integration section to get the most of the initial user linking when the integration is first enabled
Before Enabling the Integration
Sapling will only auto-create Okta accounts for new hires that are onboarded after the integration is enabled.
As such, before enabling the integration you to need manually create Okta accounts for all your existing Sapling users (if they don't already have one). For a speedier solution, please reach out to Okta Support and ask if you're able to do so via bulk upload.
Once the integration is enabled, existing Sapling users will be linked to corresponding Okta users via an overnight sync based on Company Email or Personal Email if no Company Email was provided. Once linked, user updates in Sapling will sync to Okta going forward (if enabled).
Setting Up the Integration
Part 1: Add the Sapling (US) or Kallidus HR (UK) app in Okta to enable SSO functionality
- From your home page, click the "Admin" button
- Under your Admin page, navigate to Applications and click "Browse App Catalog"
- Under the App Catalog:
- For US customers (saplingapp.io): search for and select "Sapling App" (do not use "Sapling HR")
- For UK customers (kallidus-suite.com): search for and select "Kallidus HR"
- Once selected, click "Add Integration"
- Under General Settings, enter your Sapling subdomain and click "Done"
- Navigate to the Sign On page and click "More Details"
- Copy the metadata URL, sign on URL, and signing certificate for Part 3 of the setup
Part 2: Create a token in Okta to enable user provisioning and update functionalities (optional)
- Under Security, navigate to API
- Under API, navigate to Tokens and click "Create Token"
- Enter any descriptive name for your integration and click "Create Token"
- Copy the token for Part 3 of the setup
Part 3: Enable the Okta integration and allow for SSO sign-ins in Sapling
Under Administration Tools, navigate to Integrations
Scroll down to find the Okta integration and enable the integration slider
- Paste your Okta sign on URL (Identity Provider SSO URL), signing certificate (SAML Certificate), metadata URL (SAML Metadata Endpoint), and token (API Key)
- If you'd like for new hires to be created and/or user attributes to be updated in Okta, enable the appropriate sliders below
- Once completed, click "Next" and "Activate"
- Under Administration Tools, navigate to Platform Settings
- Under the SSO tab, allow for users to sign in using "Password and SSO" or "SSO only" and click "Save"
Part 4: Assign the Sapling (US) or Kallidus HR (UK) app to users in Okta
- Navigate to the Assignments page and click "Assign"
- Click "Assign to People" to assign the app individually, or click "Assign to Groups" to assign the app in bulk
- Search for your desired users/groups and click "Assign"
- Once completed, click "Done"
Kallidus is continually expanding the number of fields that sync between Sapling and Okta.
Please note that is not possible to exclude or custom map any of the supported fields above, or map any additional fields at this time.
Key Factors to be aware of
Will changing our company domain impact the integration?
- For SSO, users will be able to log in as long their company emails in Sapling and Okta match up. If company emails in Okta are being updated to a new domain, they'll need to be updated in Sapling as well.
- For user provisioning in Okta, simply use the updated domain in Sapling when specifying company emails for new hires going forward. If Default Email Format is enabled under Sapling Platform Settings, you'll need to update the domain name.
- Can two Okta instances for two different companies hook up to one Sapling instance?
- Currently, we only support integrating with a single Okta instance
Will offboarded users in Sapling have their Okta profiles de-provisioned?
- Currently, we do not de-provision user accounts in Okta
Field Name Matching
For the fields to sync correctly, the naming conventions must match between Sapling and Okta for both the fields names and field values (for dropdown fields)
SSO Only Logins
- If you configure your Sapling environment to use SSO logins only, please note that you'll need to ensure new hires have access to their Okta accounts prior to their start date - so they can use Okta to log into Sapling and complete any onboarding documents/tasks needed before starting
- Your onboarding/auto-provisioning process when using SSO logins only should be as follows:
- People team onboards the new hire in Sapling and schedules their Sapling invite
- The user is auto-provisioned in Okta prior to their Sapling invite being sent
- IT team assigns only the Sapling app to the user (for now) in Okta and sends their Okta credentials
- User accepts their Okta invite and sets up their Okta password
- User accepts their Sapling invite and sets up their Sapling password
- This is a required but redundant step
- You can include a section in your Sapling invite to instruct users to wait for and set up their Okta accounts first
- User goes through their onboarding process in Sapling
- If they log out or time out of their initial session (from the invite), they can log back in using Okta going forward
- On their start date, IT team assigns any remaining apps to the user in Okta
- You can retrieve the user's start date via our Stage Started webhook (set to preboarding)
Looking to do more?