How to configure Single Sign-On with Okta – PerfectGym

Introduction

This article is about how to configure Single Sign On (SSO) using Okta in Perfect Gym applications. Single Sign On is a user authentication process that enables a user to access multiple applications with one set of login credentials. This process supports simplified and secure access to Perfect Gym applications for employees.

In this article, you will learn how to register an application in Okta, configure SSO settings in Perfect Gym applications, and allow employees to log in using Okta SSO.
This article will be helpful for PG Champions, Support Agents and IT Administrators.

The Client Secret must be updated by your Organisation before the expiry date set for the Expiry Period in Step 8 below (annually, or biannually, etc.). If the Client Secret is not updated in PGM prior to expiry, no staff will be able to login via SSO

Before you start

Make sure you have access to your Okta administration console to register the application and the appropriate permissions in Perfect Gym Manager (PGM) to configure system settings.

Fast lane

This is a brief overview. The following sections contain more detailed information.

Register the application in Okta:
- Sign in to your Okta administration console.
- Navigate to Admin Console -> Applications.
- Click on Create App Integration.
- Choose OIDC sign-in method with the Native application type.
- Enter the required application name and logos, and provide the correct Sign-in redirect URIs and Sign-out redirect URIs.
Configure SSO in Perfect Gym:
- Open PGM > Settings > System Settings.
- Navigate to the Authentication section and find the Okta subsection.
- Copy the Client ID and Client Secret from your newly created Okta application into the corresponding fields in PGM.
- Set the default employee position and default employee role for new users.

Instruction

Registering an application in Okta is the first step of configuring SSO.

1. Sign in to your Okta administration console and navigate to the Admin Console -> Applications page.

2. Click on the Create App Integration button and select the OIDC sign-in method with the Native application type.

3. Click Next.

4. Fill in the required fields.

5. Due to Okta's restrictions on using wildcards in sign-in/sign-out URIs, you must use the full URLs. Enter the following redirect URIs, replacing {company}.perfectgym.com with your specific tenant URL:

In sign-in redirect URIs
- https://{company}.perfectgym.com/Pgm/Account/OktaResponseHandler
- https://{company}.perfectgym.com/PosWeb/Login/Okta
- https://{company}.perfectgym.com/ClientPortal2/api/auth/Okta/SignInCallback/
- https://{company}.perfectgym.com/ClientPortal2/api/auth/Okta/SignInCallback/Kiosk
- https://{company}.perfectgym.com/ClientPortal2/api/auth/Okta/SignInCallback/Tablet
Sign-out redirect URIs
- https://{company}.perfectgym.com/Pgm/
- https://{company}.perfectgym.com/PosWeb/
- https://{company}.perfectgym.com/ClientPortal2/

Replace "{company}.perfectgym.com" with your dedicated tenant url.

6. When finished, click Save. You will be moved to a view that contains all application information.

Configuring SSO in Perfect Gym applications

1. Open PGM > Settings > System Settings.

2. Copy the configuration details, specifically the AuthorityUrl, ClientId and ClientSecret, from your Okta application into the Authentication -> Okta section in PGM.

3. Set the default employee position and default employee role for all new staff. This is the position and role that will be allocated to a new employee on their first sign-in. It's recommended to set the lowest position and role available, which can be changed later to the employee's correct role.

How to log into the applications

PGM

In PGM, press the Log in via Okta button. This will take you to your company's Okta login page to sign in (if you're not already signed in).

POSWeb

In POSWeb, use the same method as in PGM. Press the Log in via Okta button. This will take you to your company's Okta login page to sign in (if you're not already signed in).

Client Portal

Since the Client Portal is primarily for club members, there is no direct "Log in via Okta" button. To log in in employee mode, an employee must fill out the login form.
The employee should use their employee login (from PGM), which is usually the same as their Okta login.
For the password field, a random text will suffice. After clicking the sign-in button, the application will initiate the SSO process.

FAQ

1. What fields on a user account in Okta are required for the SSO integration to work?

The required fields are: First Name, Last Name, and Email.

2. What will happen if an employee who previously signed in using login+password credentials starts using the Okta Single Sign-On option?

If a user previously signed in using login+password credentials and switches to Okta, the system will attempt to associate the Okta account with the existing PG account. A search will be performed for an employee with the same email as in Okta. If the merge is successful, that user will no longer be able to sign in using login+password credentials. If no match is found, a new employee account will be created.

3. What will happen if an employee who has never signed in to PG starts using the Okta Single Sign-On option?

If a user has never signed in to PG and starts using Okta SSO, a new employee account will be created in PG with the default employee position and role configured in the system. There is no option to disable this behavior.

4. Can I limit the Okta SSO option to members of a specific Okta user group?

No, this feature is not supported.

5. After I used the SSO sign-in option, I can't sign in using my login+password credentials.

This is by design. Once the PG account is connected with the Okta account, signing in using login+password is not allowed.

6. In the case of creation of a new employee account, what permissions will the employee have?

The newly created employee will be assigned to a position and role set in the configuration (System Settings → System → Authentication section).

7. If I make changes to an employee's personal data (e.g., first name) in PG, will the change be propagated to Okta?

PG apps have read-only access to Okta. Any changes made later in Azure or PG will not be synchronized between the systems.

8. I've changed a user's personal data in Okta. When will it sync to PG?

The personal data received from Okta is only used to create the user account during the first Okta sign-in. Subsequent changes will not be synchronized between the systems.

9. What will happen if we deactivate or remove an employee in PG but not in Okta?

After deletion in PG, any attempt to sign in using Okta will fail. The employee account will not be reactivated or recreated.

10. What happens if an employee's Okta account is deactivated?

The employee will no longer be able to sign in using Okta.

11. How do I get a list of employees with Okta logins?

Go to PGM → Reports → All and search for the report 'Employees'. The relevant information is in the fields ExternalSystemEmployeeId and ExternalSystemType

You can create an employee account in PGM beforehand, and SSO will link to it. Alternatively, they can log in and update permissions or clubs for the account created after their first sign-in.