1. Help Center
  2. Integrations
  3. Security and sign-on integrations

Okta SAML integration

The following steps walk through the process of integrating Okta with Marq. You will need admin privileges in both Okta and Marq to complete this integration.

Step 1: Configure settings in Marq
1) Log in to Marq. Remember: you will need to have admin permissions. Click “Team” on the left. Then, select “Identity Management”.

2) Check the box next to “Allow SAML authentication”. You can choose to unselect the other sign-on options if Okta is the only way your users will sign in to Marq. Then, click “Save Changes”.

3) On the same page, click "Configure" to navigate to your SAML Activation page in Marq.

4) Under "Marq Sign-in URL," enter your Domain name. For the most part, this can be named anything of your choice. The example below shows “test”. Click "Save Changes."
Step 2: Configure SAML for Marq in Okta
To configure SAML or SCIM with Okta for your Marq account, you must first add an application to your Okta instance. To do so, go to the Admin section of your Okta account and click “Add Application." Below the search bar is an option to “Create New App”.

1) Change the sign-on method to SAML 2.0. Click “Create”.
2) Name your app “Marq”. You can upload a logo if you would like. Click “Next”.
3) For the single sign on URL, paste: https://app.marq.com/saml/sso/[YOUR_DOMAIN]. Replace [YOUR_DOMAIN] with what you entered in Marq from step 1. Also, paste this same URL in the “Audience URI (SP Entity ID)” field. Change the Application username to “Email”. No other settings need to be changed. Click “Next”.
4) Select the option “I’m an Okta customer…”. Then, click “This is an internal app that we have created”. Click “Finish”. 
5) Under the yellow SAML 2.0 notice, click the “Identity Provider metadata” link. 
6) A new window will open with your metadata. Right-click on the page, then select “Save As”. Choose where you would like to save your metadata and click “Save”. We will use this file in Step 3. 
7) Note: for the app to fully function with Marq, you will need to assign users to the app you created. Click the “Assignments” tab to assign users. You might consider assigning yourself to test that the SAML app is working.
Step 3: Return to Marq
1) Return to Marq. If you are not already, go to the “Team” tab, then click “App Integration > SAML”.

2) Under “Identity Providers”, upload the metadata file you saved. It will look like this when loaded:

3) If you assigned the Okta app to your username, you can click “Test SAML Connection”. You’ll get this message if the app was created successfully: 

Pulling roles and attributes

This documentation will explain how to create a custom app in Okta that will allow your company to pull admin roles from Okta and have them display and function in Marq.

Make sure to lay out the connections between the roles you have in your company, and the roles available in Marq. 

Enabling SCIM

  1. Log in to Account Owner’s Marq account
  2. Enable automatic team upgrades
    1. Select the “Team” tab
    2. Select the “Licensing” tile
    3. Under “Marq License Settings”, scroll down to “When no more licenses are available…” and enable the checkbox
    4. Save your changes
  1. Ensure SCIM has been enabled for your account.
  2. Generate a SCIM bearer token
    1. Navigate to the “Team” tab again
    2. Select the “App Integration” tile
    1. Select the “SCIM” tile
    2. Select the “Generate token” button
      • Remember, the person generating the token must be either an Account Owner or have Team AND Billing Admin privileges.
    1. Take note of the Marq Base URL and the Bearer Token
      • You will need to copy and paste these

Creating Okta SCIM App

  1. Log in to your Developer Okta account
  2. Select Applications
  3. Add Application
  4. Select “Okta Applications” from the menu
  5. Select “SCIM 2.0 Test App (OAuth Bearer Token)
  6. Add the Marq app
  7. Name the application and then select “Done”
  8. Select the “Provisioning” tab and select “Configure API Integration” button
  9. Check the box for “Enable API Integration”
  10. Copy and paste the Base URL and Bearer Token from Marq into the appropriate boxes. (Refer to “Enabling SCIM section, Step 4.e). Then save your changes
Configuring Okta SCIM App Settings
  1. In the app settings, select the “Edit” button
  2. Enable “Create Users”, ”Update User Attributes”, and “Deactivate Users” settings. Save your changes.
  3. Scroll down to the bottom of the list and select the “Edit Attributes” button under the section “Profile Attributes & Mappings”
  4. Begin adding attributes
Adding Attributes -- Licensing
Adding this attribute will dictate if the user receives a license in Marq. If it is not enabled for a user, they will be a view-only user and cannot edit any projects in Marq.
  1. Have the attribute match the following information:
    • Data type: boolean
    • Display name: canEdit
    • Variable name: canEdit
    • External name: canEdit
    • External namespace: urn:ietf:params:scim:schemas:extension:marq:1.0:User
  2. Select “Save” button


Adding Attributes -- Print Vendor IDs

If you are connected to Xpressdocs, each user will need an OfficeID and a UserID. Follow the instructions below to pass these IDs via SCIM. 

  1. Have the attribute match the following information:
    • External namespace: urn:ietf:params:scim:schemas:extension:lucid:1.0:User
    • officeIdAtPrintVendor: XXXXXXXX 
    • userIdAtPrintVendor: XXXXXXXX (can be the user's email, learn more here)
  2. Select “Save” button

Designating licenses & roles to users

  1. Select “Applications” from the header
  2. Select the app that you created (the screenshot will show “SIR Test”, but yours will be named what you decided in Section “Creating Okta SCIM App”, Step 7)
  3. Select the “Assign” button, and then “Assign to People”
  4. Select a user and click the “Assign” button
  5. Scroll down to the “canEdit” line and select your preferred option from the dropdown menu.
    1. True = Gets a license
    2. False = View-only user
    3. Undefined = Let Marq licensing settings decide (in the admin panel under the licensing tile)
This will dictate which role the user will have in Marq. It will determine if they will be a standard user or an admin. You will be able to select the specific admin privileges available to them as well.
  1. On the same page as above, scroll back up to the “roles” line and begin adding in the roles of users.
    • Available roles:
      1. Standard User
      2. Team Admin
      3. Template Admin
      4. Approval Admin
      5. Print Admin
    • An admin can be assigned multiple roles
  2. Save your changes.

Pulling Groups

This documentation section will go over bringing groups from Okta into Marq.

Building groups
  1. Select “Directory” from the header, and select “Groups”
  2. Click the “Add Group” button
  3. Name your group and select the “Add Group” button
Adding users to groups
  1. Select “Directory” > “People” from the header
  2. Select the user and then “Groups”
  3. Type in the group name in the search bar
  4. And select the “add” button to assign the user to that group
Push Groups to Marq
  1. Go back to your applications
  2. Select the application you created
  3. Select the “Push Groups” option
  4. Click on the “Push Groups” button and select the “Find groups by name” option
  5. Type in the name of the group you created in the search bar, select it. Save. 

Check your work in Marq

Checking Groups
  1. Have an Account Owner or Team Admin login to Marq, select the “Team” tab and then the “Users” tile.
  2. Look to the left-hand side, and you should see the group you created under the Team
Checking Users
  1. Have an Account Owner or Team Admin login to Marq, select the “Team” tab and then the “Users” tile.
  2. Select the group that you created, and check that all the users assigned to the group in Okta are assigned correctly in Marq.