Create a seamless and secure log-in experience for all your Listrak platform account users by following the two-part setup process after the SSO feature has been enabled. Begin by following the steps in your company's Identity Provider (IdP) and then in the Listrak Platform.
⚠️ Important information regarding the SSO setup
The Account Owner is the only user who has permission to set up this feature in the account.
Once the SSO feature is configured, Listrak will deny users access to their account who attempt to log-in using the standard method, except for the account owner.
For Example:
To create add credentials for a new Listrak user you must first set them up in your SSO client.
When a new Listrak user is added within the Listrak Platform they will be an API-only user that can be used for configuring API-related information.
This is available with any Security Assertion Markup Language (SAML) compatible SSO providers such as Okta, AuthO, Ping Identity, OneLogin, and Azure.
Step 1: Contact Your Account Manager
The SSO feature must be enabled in your account before you can begin the setup process. Contact your Account Manager to have this feature turned on. Once the feature has been enabled you can proceed to step 2 below.
Step 2: Identity Provider Setup
The IdP setup needs to be completed before configuring the SSO settings in the Listrak application. The overall setup and the location of the values needed for the Listrak Platform setup may differ within each IdPs setup configuration.
Select your Identity Provider to learn how to configure it for your Listrak integration:
Okta Platform Setup
Follow the steps below if you are using the Okta Integration Network platform:
Log into the Okta platform and navigation to Applications.
Click Add Application.
Click Create New App.
Select Web from the Platform dropdown.
Select SAML 2.0 as the Sign on method
Click Create
Enter Application Name: Listrak (exact name)
Enter the App’s login page URL: blank (exact name)
Click here to download the Listrak Logo.
Select the settings you want for How will your users sign in?
Click Next
Enter the following information to configure the SAML Settings:
Single Sign On URL | https://user-auth-api.listrak.com/api/SSOAuthentication/Authenticate?domain=[yourdomain] |
Audience URI (SP Entity ID) | Listrak |
Default Relay State | Leave blank |
Name ID format | x509SubjectName |
Application Username | Okta username |
Update Application Username On | Create and update |
Response | Signed |
Assertion Signature | Signed |
Signature Algorithm | RSA-SHA-256 |
Digest Algorithm | SHA256 |
Assertion Encryption | Unencrypted |
Enable Single Logout | Unchecked |
Authentication Context Class | PasswordProtectedTransport |
Honor Force Authentication | Yes |
SAML Issuer ID | http://www.okta.com/${peg/externalKey}
|
13. Enter the following Attribute Statements:
14. Click Next when finished
Name | Name format (optional) | Value |
Unspecified | user.email | |
first | Unspecified | user.firstName |
last | Unspecified | user.lastName |
15. Answer any Okta Feedback questions.
16. Click Next
17. Click the Sign On tab to access the setup instructions.
18. Click the View Setup Instructions button, a new browser window will open.
a. Save the values for Identity Provider Single Sign-On URL and the IDP metadata.
b. Download the XML file to open it in a text reader such as Notepad (PC) or
Text Edit (MAC).
19. Go to the Listrak application to complete the Listrak Platform setup.
Ping Identity Platform Setup
Follow the steps below if you are using the Ping Identity platform:
Log into the Ping Identity platform and navigation to Connections > Applications.
Click + Add Application.
Click Web App
Choose connection type - SAML.
Click Configure.
Create the application profile by entering the following information:
Enter Application Name: Listrak (exact name)
Enter Description (optional): A brief characterization of the application.
Icon (optional): You can download an icon for use here.
Click Next
Enter the following Metadata to configure your application:
ACS URLs | https://user-auth-api.listrak.com/api/SSOAuthentication/Authenticate?domain=[yourdomain] |
Signing Certificate | Select Sign Assertion Select the signing algorithm: RSA_SHA256 |
Encryption | Do not select |
Entity ID | Listrak |
SLO Endpoint | Leave blank |
SLO Response Endpoint (optional) | Leave blank |
SLO Binding | HTTP post |
Assertion Validity Duration | 60 seconds |
Target Application URL | Leave blank |
Enforce Signed Authn Request | Leave blank |
Verification Certificate | None |
7. Click Save and Continue.
8. Click + Add Attribute to complete the Attributes Mappings to correctly link your
Ping users with a Listrak user profile.
9. Enter the following attribute pairs:
a. When finished, click Save and Close.
Pingone User Attribute | Application Attribute | Required |
Username | saml_subject | Check |
Email Address | Check | |
Given Name | first | Check |
Family Name | last | Check |
10. To apply any Policies or Access settings pertinent to your organization:
Click the Edit pencil icon.
11. To enable the Application: Turn the toggle switch on (Green) from the
Applications list.
12. Click on the Configuration tab to download the Metadata file and to copy the
INITIATE SINGLE SIGN-ON URL.
13. Go to the Listrak application to paste in the following:
Listrak Field | Value |
Domain | Your users email logon domain |
IdP Logon URL | Initiate Single Sign-On URL from Ping Identity |
Allowed Audience |
|
Sign Request Algorithm | RSA-SHA-256 |
IdP Metadata (XML) | XML from the downloaded Metadata file from PingIdentity |
14. Click Commit Changes to complete the setup.
Azure Platform Setup
Log into the Azure Active Directory Admin Center.
Select Enterprise applications from the left sidebar.
In the All applications menu that opens, select your specific application.
If necessary click New Application > Create your own application
Give the new application a name and leave the default settings
Click on the Single Sign-on in the sidebar and then select the SAML option and click Edit to configure the properties.
Field | Value | Notes |
Identity (Entity ID) | Any value | This will prepopulate in Azure or can be changed, if desired |
Reply URL | https://user-auth-api.listrak.com/api/SSOAuthentication/Authenticate?domain=[yourdomain]
| Your domain is the company email domain. e,g, listrak.com |
Sign on URL | IdP Login URL provided by Azure |
|
Relay State |
| optional value |
Logout URL |
| optional value |
6. Select the User Attributes & Claims option and click Edit to configure the properties.
⚠️ The namespace should be left empty for all values
Name | Source Attribute |
emailaddress | user.mail |
lastname | user.surname |
firstname | user.givenname |
7. After adding the information above, download the Certificate (Raw) and Federation Metadata XML files.
8. Copy the Login URL provided
8. Go to the Listrak application to complete the Listrak Platform setup.
Additional Provider Setup
You can also set up SSO with additional providers, if desired. Listrak's SSO can be set up with any SAML provider.
When setting up SSO with these providers, you must include the following claims.
Claim | Value (select one) | Notes |
Email Address | emailaddress email_address | Must match the domain in Listrak's SSO settings |
First name | first firstname first_name | Maximum character count: 25 |
Last name | last lastname last_name | Maximum character count: 25 |
Unique User Identifier | Any unique value e.g. employee ID value | Maximum character count: 32 |
⚠️ Some providers automatically create IDs, but if no ID is used a new users is created each time a contact logs into Listrak
Step 3: Listrak Platform Setup
As the account owner, begin by logging into the Listrak platform using the standard log-in process and navigate to Account > Account Account Settings.
In the Logon Settings section:
Click the Enable Single Sign-On checkbox to turn 'On' the SSO.
Enter the following information:
Domain name: Your domain name used in the email address of your users' login should be entered in box #2.
IdP Logon URL: A URL by your IdP that should be entered in box #3.
Allowed Audience: (should be entered in box #4 based on the type of integration)
For Okta or Ping configurations: Listrak (exact value)
For Azure configurations: Identity (Entity ID) value
Sign Request Algorithm: Enter RSA-SHA-256 (exact value) in box #5.
IdP Metadata (XML): This file is generated during your IdP setup. Copy and paste the entire file into box #6.
Click Commit Changes to complete the setup.
⚠️ An alert will display if any of the values are invalid when Commit Changes is clicked.
For Example:
Listrak Logo Download instructions
Click the image to open in another tab.
Right click on the image.
▪️ Select Save Image As...
▪️ Save the image to your desktop to access it during Okta setup.