This feature is only available on the Mentorloop Enterprise plan
Prerequisite: Contact customer success to get started
If you haven't yet discussed SSO with us, let your customer success manager (CSM) know you'd like to enable it. Your CSM can get the process started to enable SSO via SAML for your mentoring program. Once you're ready to go, we will send you an email with the details you need to complete the steps below.
Step 1: Add the Mentorloop Application
Navigate to the Applications page in the Okta administrational panel.
Click Add Application at the top of the page:
Click Create New App at the top of the left sidebar:
This will open the Create a New Application Integration popup.
In the pop-up, configure the app as below. For Platform select Web and for Sign-on method select SAML 2.0.
Click Create to continue.
Configure the general settings for the application. This is the name and logo that your participants will see in their Okta dashboards. We recommend using the app name Mentorloop and using this Mentorloop logo (right click to save to your desktop):
Click Next to continue.
Step 2: Configure SAML SSO
Configure the SAML Settings as per the configuration document you have been provided by our team. Click Next to continue.
☝️ We provide this configuration document to you or your IT team when we begin the SSO setup process. Reach out to your Mentorloop customer success team member if you would like to set up SSO for your program.
- Single sign-on URL - Provided to you by Mentorloop
- Audience URI - Provided to you by Mentorloop
- Name ID format - Persistent
- Application username - Email
- Assertion encryption - Encrypted
- Encryption algorithm - AES256-CBC
- Key transport algorithm - RSA-OAEP
- Encryption certificate - Provided to you by Mentorloop
- Attribute statements - None
- Group attribute statements - None
If you are asked for any other settings, use the default values within Okta. Reach out to us if a required property does not have a default value.
Fill in the Feedback form. This information is sent directly to Okta and does not affect the integration. We recommend using the values provided below. Click Finish to continue.
Let us know if you would like to map additional claims to your participant profile fields.
You are now able to assign participants or groups to the newly created application. Please refer to the Okta documentation for information on provisioning participants for applications.
Please ensure that all eligible users are granted permission to this SAML application to avoid barriers to joining the mentoring program.
Step 3: Setting up SCIM
Obtain your SCIM endpoint and token
Contact Mentorloop to enable SCIM for your account.
If you are not setting up automatic deprovisioning with SCIM, skip to Step 4.
You will receive:
-
- SCIM Base URL:
https://{mentorloop domain}/scim/saml/{provider name}
- SCIM Bearer Token: A unique authentication token
- SCIM Base URL:
Configure SCIM
-
After you create your integration, click the General tab.
-
In the App Settings section, click Edit.
-
In the Provisioning field, select SCIM, and then click Save.
-
Click the Provisioning tab. The SCIM connection settings appear under Settings > Integration.
-
In Settings > Integration, click Edit.
-
Specify the SCIM connector base URL and the field name of the unique identifier for your users on your SCIM server.
-
SCIM connector base URL: Your SCIM Base URL
-
-
Under Supported provisioning actions, choose the provisioning actions supported by your SCIM server:
- Push Profile Updates: This option populates the SettingsTo App page, and contains settings for all profile information that flows from Okta into your SCIM app. See Profile Push.
-
Use the Authentication Mode dropdown menu to choose which mode you want Okta to use to connect to your SCIM app:
- HTTP Header: The SCIM Bearer Token provided by Mentorloop
Verifying deprovisioning works
To verify that deprovisioning is working correctly:
-
Okta:
- Deactivate a test user in Okta or remove their assignment to the Mentorloop application
- Check the System Log in Okta to confirm the deprovisioning event
-
In Mentorloop:
- Verify the user can no longer log in by attempting to login as that user.
- As a Program Coordinator (PC) or an Org Admin, confirm the user has been removed from your programs.
Troubleshooting
Common issues and solutions
Issue | Possible solutions |
Failed connection test |
- Verify SCIM URL and token are correct - Ensure your network allows communication to Mentorloop's SCIM endpoint - Contact Mentorloop support |
Users not being deprovisioned |
- Check that deprovisioning is enabled in your IdP settings - Verify user mappings are correctly configured - Check logs in your IdP for errors |
Error during provisioning sync |
- Review provisioning logs in your IdP - Ensure all required attributes are properly mapped - Contact Mentorloop support with error details. |
Provisioning logs
Okta provides detailed logs for provisioning events:
- Navigate to Reports > System log and filter for your Mentorloop SAML application
Need help?
If you encounter any issues while setting up SCIM deprovisioning, please contact Mentorloop support with:
- Screenshots of your configuration
- Any error messages you're receiving
- Details about the specific problem you're experiencing
Step 4: Provide Mentorloop with the generated metadata URL
If you are not automatically redirected, navigate to the Application Sign-On settings.
You should see a notice that SAML 2.0 is not configured until you complete the setup instructions. At the bottom of this notice is a link to Identity Provider metadata.
Copy the URL of this metadata file and share it with the Mentorloop team so we can complete the integration from our end.