Okta Configuration
- Prerequisites
- Creating Okta OIDC Application Client
- Creating API Authorization Server
- Setting up Refresh Token
Prerequisites
The following prerequisites are required to complete the integration:
-
Running instance of Okta with users synced or created.
-
Integrated user directory such as Active Directory.
Creating Okta OIDC Application Client
Perform the following steps to create OIDC application client for Okta:
-
Login to Okta Admin portal. Expand Applications and select Create App Integration.
The Create a new app integration page is displayed.
-
Select OIDC - OpenID Connect and Native Application as Sign-in method and Application type, respectively, and click Next to create a new application.
-
Select this new application to edit the settings. The New Native App Integration page is displayed.
-
Enter the following details:
-
Enter a name in App integration name and a logo if required.
-
Select the Refresh Token check box as Grant type.
For the OIDC method, the Authorization Code as Grant type is by default.
-
Click + Add URI to add the required Redirect URL.
URL structure: https://<server-host>/redirect
For example: https://www.idpvserver.com/redirect
URL structure: https://<server-host>/redirect
For example: https://www.idpvserver.com/redirect
Note: This URL is updated as per IDPV server host name.Both URLs are required in IDPV server.
This URL is updated as per IDPV server host name.
-
Select the desired option to assign the Controlled access, and click Save.
-
-
Select the application created above to edit the settings.
-
Under the General tab, Client ID is auto-generated.
-
Select the Client secret check box as Client authentication.
-
If required, click Generate new secret to generate a new client secret, and click Save.
-
-
Under the Assignments tab, click Assign to assign the application to the required Users or Groups.
-
Under the Okta API Scopes tab, click Grant/Revoke under Actions column to select/deselect the required scope.
Creating API Authorization Server
An authorization server is required to get the Access Token with the custom claims in it.
Perform the following steps to create an API authorization server:
-
Login to Okta Admin console. Expand Security, select the required API > Add Authorization Server.
-
Enter the values for the Name, Audience and Description fields, and click Save.
-
Select the added Authorization server then the following Authorization Server Settings page is displayed.
-
Under the Settings tab, the Metadata URI (well-known discovery URL) for this added server is displayed.
- Click the Metadata URI URL to see the well-known authorization server URLs.
-
Under the Scopes tab, click Add scope.
- Enter the name, select the Default scope check box and click Save.
The User consent and Default scope fields are optional.
-
Under the Claims tab, add the following claims to the Access Token.
-
preferred_username
-
Select Access Token in the Include in token type field.
-
In the Value field, select the username to recognize the user and group membership for the IDPV server.
-
Select the scope created above in the Include in field, and click Save.
-
-
Groups
-
Select Access Token in the Include in token type field.
-
Select the scope created above in the Include in field, and click Save.
-
-
-
Under the Access Policies tab, click Add new Access Policy.
-
Enter a name and assign the policy to the client created initially.
-
Click Update Policy.
-
Click Add Rule.
-
Enter a name and select the Authorization Code check box as a Grant Type.
-
In the User is field, select the applicable check box, if required.
-
In the Scopes requested field, select The following scopes: check box and include the required scopes (idpvserver containing claims preferred_username and groups, openid, offline_access).
The email and profile scopes are optional.
-
Enter the appropriate values in the Access token lifetime is and Refresh token lifetime is fields.
-
Click Update rule.
-
-
The value entered here should match with the value of RefreshTokenExpirationDuration in idp-configuration.json.
