To improve your own security you can add Okta OAuth2 to Mention Me so that your employees can access Mention Me by logging in via Okta. They will no longer need their password and you can manage their authentication from your own Okta console.
Account provisioning and the roles for each account are still managed within Mention Me.
We currently support authentication via Google, Okta, Auth0 and Azure AD. If you would like to use an alternative OAuth source please talk to your Client Account Manager.
The Security and Data page in the Merchant Settings menu item lets you set up Okta OAuth on the Mention Me side.
Feature overview
If desired, Mention Me can perform authentication via Okta OAuth for users that manage their authentication with Okta.
- Clients using Okta can authenticate Mention Me users via Okta accounts.
- Users log in to Mention Me by authenticating with their Okta account.
- When enabled, Mention Me authenticates users only with Okta OAuth (email/password access will cease)
- For users with access to more than one Brand, users will be able to access the platform via any of the login mechanisms for those Brands (either OAuth or email/password as configured)
Note that:
- When enabling Okta OAuth, only accounts whose email address matches the configured domain(s) will be able to authenticate. All other accounts will lose the ability to log in.
Preliminary requirements
Using Okta OAuth requires the following:
-
A Okta account for the organization.
-
At least one domain controlled by the organization and registered to the Okta account.
- Users with email addresses in the domain associated with the Okta account.
You will need:
Before you begin these steps, you will need:
- An Okta administrator to perform steps in the Okta admin tools
- Mention Me administrator access to your account
Setup on the Okta side
The steps for enabling Okta OAuth on the Okta side are described below. Okta's generic description of these steps is on setting up OAuth 2.0.
- Go to the Okta Admin console
- Create a new App Integration
- Choose OIDC - OpenID Connect and Web Application.
- Give the App a name (e.g. "Mention Me").
- Decide who will have access and Save with the default options
- Mention Me requires only the default scopes (name and email), so typically no additional scope configuration is required
-
In the Sign-in redirect URIs field, enter the URL found in the steps on the Mention Me side below.
Replace xxxx with the Merchant Id of your account. Speak to your Client Manager to confirm this value.
https://mention-me.com/oauth/client/redirect/xxxx
- Click Save.
- Okta displays your client ID and your client secret and your Okta domain.
- Copy your client ID and your client secret and domain values — you will need them to configure Mention Me below.
NOTE: Mention Me has a Live and a Demo platform. If you want login for your users to work seamlessly across both platforms you'll need to add two separate redirect URIs to Okta.
For demo, add the URL: https://demo.mention-me.com/oauth/client/redirect/xxxx. The ID (xxxx) will be different to the one used for Live.
You can use the same Client ID and Client Secret and Issuer URI.
- To enable logins from the Okta dashboard, which then allow your users to click a single link and be logged in to Mention Me, you can use the below link.
https://mention-me.com/oauth/client/start/xxxx
Replace xxxx with the Merchant Id of your account.
Setup on the Mention Me side
The steps for enabling Okta OAuth on the Mention Me side are below.
If you want to enable access to Demo to be controlled by Okta, you will need to repeat these steps.
-
From the Mention Me platform, while logged in as an administrator, go to Edit Brand
-
Under the Security group, find the Single Sign On configuration section.
-
Choose Okta from the SSO options
-
Enter your Okta Auth Settings
- Client ID and Client Secret - Copy and paste these values from the Okta General page, as in the Okta setup instructions above.
-
Domains - Your organisation’s Okta-managed domain name(s). Only users with an email address and account matching these domain(s) can log in to your Mention Me account.
-
The Issuer URI will be a URL containing your Okta domain with the suffix /oauth2 e.g.
https://[domain].okta.com/oauth2
-
When you save changes, your changes will be applied to all users and they will no longer be able to login via their email/passwords.
Default Permissions
When a user logs in with Okta, we can automatically grant the following permissions:
- On demo we can automatically grant "Marketing" permissions to all users who login with Okta
- On prod we can automatically grant "Customer Service" permissions to all users who login with Okta
To enable this functionality, click the relevant checkbox on the Mention Me Okta setup pages.
Permissions can be changed subsequently after a user has signed up by an Administrator.
Sample Email for rolling out the change to your users
Hi
- We're switching from using an email/password on the platform to using "Login via Okta".
- This applies across both the live and demo platforms of Mention Me.
- It's better for security and easier to administer accounts internally
- It's also more convenient for you - one less password to keep track of
- You'll stop being able to login with your email/password and instead will need to click on a "Login via Single Sign On" (or Login via Okta) link at the bottom of the login form on Mention Me
- The first time you click this you'll need to enter your [domain] email address so the platform can identify you
- The second and subsequent times you'll just click it and it will log you in
Disabling Okta Auth once it has been enabled
If you’d like to disable Okta Authentication for your Mention Me platform after it has already been enabled, just bear in mind that:
- Users can return to using email login and password, but users created since SSO was being used will not know or be sent their passwords. They will need to perform a reset password (or you can trigger it via Mention Me) in order to receive a link to be able to recover their passwords.