Creating a ThinkSmart Manager Organization Using Okta Single Sign-On (SSO)
Overview
OKTA is a Single Sign-On (SSO) management service that allows users to log into a variety of systems using one centralized process. The OKTA directory includes the tenant's users and apps and is used to perform identity and access management functions for tenant resources.
It allows using the self-service sign-up method by which a user signs up for a cloud service and has an identity automatically created for them in OKTA based on their email domain. The user is not required to log in to the destination source (site, application, and others) since login flow is conducted through OKTA.
Users can log in to OKTA through email, Gmail, and GitHub.
There are two subscription plans for OKTA users:
- Starter (free, up to 15000 users, all essential features are present)
- Advanced
For more information, visit the Okta Developer (https://developer.okta.com/login/).
Creating a ThinkSmart Manager Organization With Okta
Preparing Okta
- Log in to Okta (https://okta.com/login).
- Proceed to Applications. Click Create App Integration button (Create a new App if there is already one app in the list).
- Select the SAML 2.0 sign-on method and create an application.
- On the General Settings step, name the application.
- On Configure SAML step, enter the Attribute Statements as on the image below. Leave the random Single sign-on URL and Audience URI values as is. These will be changed later.
- Complete the application creation flow.
- In SAML Signing Certificates section, select View IdP metadata option from the Actions drop-down. IdP metadata opens in a separate tab in browser.
- Download the page information to your computer (this becomes an IDP Configuration File that is required for Lenovo organization creation).
Creating Organization
- Go to ThinkSmart Manager portal (https://portal.thinksmart.lenovo.com).
- Click Create an Organization button and sign in with Lenovo ID.Enter the Organization ID.
Ensure and confirm that the organization domain completely matches the email domain of the Admin. All users that are to log in to OKTA Organization should follow this rule. (Example: Org ID should be lenovo for email@lenovo.com org admin email).Click OKTA
- Enter the organization information, address, and primary contact.
Enter OKTA Settings:
Organization Admin UsernameThis is the first user of organization.Email domain should match Organization ID that was entered on the previous step.
- Upload IDP configuration file that was downloaded from Okta (https://okta.com/login). (Scroll down the window to see the rest of the organization registration fields).
- Input profile information.
- Complete the organization creation.
- Now customer is to update Single Sign-On (SSO) URL and audience URI links on SAML Settings section in Application. Take the organization’s authentication link and set it to both fields. Save changes once completed.
OKTA Users Invite and Assign
Users can be invited to the Directory on the People page. When the user is invited, they can set the password using instructions set to email.
To assign the user to the application, proceed to Applications, Assignments.
User Login Process
To log in as an Organization Administrator User, the User must follow these rules:
- Have the email domain that matches the ThinkSmart Manager portal organization domain.
- Have the User created on the ThinkSmart Manager portal in the Users section, and the User invited to OKTA, and assigned to the application.
If these are followed, the user logs in with the selected Admininstrator role to ThinkSmart Manager portal after the OKTA authentication process.
To log in, proceed to the organization Portal link and get redirected to the OKTA log-in page. When the user passes the valid OKTA credentials, the User is successfully logged in and redirected to ThinkSmart Manager portal.
Base User Creation
The User was not created on the ThinkSmart Manager portal, but was invited to OKTA, they are able to log in as Base User, which is created automatically during the login.
If Base User has limited functionality and the User role can be assigned on the Users Portal page by any other organization admin.
Related Articles
Creating a ThinkSmart Manager Organization
Summary These instructions will walk you through creating a ThinkSmart Manager organization using a Lenovo ID. This is the standard configuration if you are not planning on using SSO. For information on creating a ThinkSmart Manager organization ...Creating a ThinkSmart Manager Organization using Azure Single Sign-On (SSO)
Overview Azure Active Directory (Azure AD) is a multi-tenant, cloud-based identity, and access management service. The Azure AD directory includes the tenant's users, groups, and apps and is used to perform identity and access management functions ...Installing ThinkSmart Manager Service
Overview Before you can start managing a ThinkSmart device with ThinkSmart Manager, download and install ThinkSmart Management Service (TSMS) on the system first. This installer contains two required Windows services: Lenovo ThinkSmart Management ...Creating and Managing a Lenovo ID
Lenovo ID is the secure and trusted mechanism providing authentication & identity management for Lenovo Client Remote Management. It offers single sign on as well as integration with other Lenovo solutions. Lenovo ID accounts can be freely created at ...