Body
This module is very similar to other OIDC methods like Azure, Google, AD FS, PingIdentity, and the generic OpenID Connect, but has specific functionality in it to work with Okta. You will also want to review the general Auth Module document for more information on authentication as a topic.
Because this authentication is handed off to the provider, it offers full SSO and MFA support per the provider configuration.
Generally speaking, you will want to enable Use Authorization Code Flow. If there is a problem, you can disable this as a test of falling back to another code flow method.
Account Name Style is partially cosmetic but can have a functional impact. This allows you to set how the account is displayed in the Web UI upper corner, as well as how it is recorded in logs, and shows in the Account list in the platform. This can be important to avoid collisions. If you use Full Name for example and two people are John Smith, we have an issue. But if you use UPN Without Domain and that results in jasmith and jbsmith, then there is no issue because those are unique names for account records.
The Label is arbitrary and will be displayed on the login page. In General using the name of the service (e.g. Google or Azure) as the label is expected.
The Redirect URL should always be https://[your.keyserver.hostname]/sso
Configuration Steps
- Log in to your Okta management page
- From the API menu choose “Tokens”. Click Create Token button, give it a name (doesn’t matter what the name is). The token is displayed for you once and only once. Copy it and paste it somewhere you can get to it later.
- Open KeyConfigure and go to File -> Manage Scripts. From the “Library at Sassafras” section, drag the “Create Okta Apps” script up to the Server. Click OK. Alternately you can use the Web UI under Settings -> Scripts to enable the script. This script automates the creation of the needed configuration in the Okta instance. If you choose to not use this script, you will need full understanding of Okta and your instance to manually configure the settings yourself. The same is true if you choose to use the SAML module with Okta instead of this custom OIDC module.
- From the Tasks menu in KeyConfigure choose “Create Okta Apps”, or click the run button for the script in the Web UI. Enter the values as prompted.
- The App Name can be anything you want, it’s just used in various screens on the Okta UI side.
- The Service host is the FQDN (preferably) or IP address of your AllSight server Web UI, including the :port suffix if using a non-standard HTTPS port.
- Okta domain is the official FQDN of your Okta instance, NOT an on prem vanity DNS name. e.g. myorg.okta.com, NOT login.myorg.edu
- API Token is the value that you copied above.
- Assigned Group can be Everyone (if that group exists and does by default), or another group that you created. This is the group of users who are allowed to use Okta for authenticating to your server. Note if you don't use Everyone then you are adding a layer of complexity for troubleshooting. There are many controls in AllSight for dictating who can actually log in and get certain access levels, despite the ability to authenticate.
- Click OK.
- It may take a minute to run, but once finished you'll get a message that Admin Authentication has been configured for Okta.
- In KeyConfigure, open Config -> Admin Authentication
- Set the group/account mapping however you want, based on the groups you have/make in Okta.
- Note that most sites will set these options to Create account as Needed and then also link the Okta groups to specific Roles in Accounts.
- Note that Support is more than happy to help navigate the nuances of permissions access rights as this is a deep topic.
- You may also consider changing the Unknown External Logins to Disallow instead of Community. The latter gives a user "guest" level access which is redundant if you have Guest enabled. Again these nuances are up to the individual site preferences and Support is happy to discuss questions.
- Click OK.
- Now go to your KeyReporter in a browser, click the Sign in with Okta button, do whatever Okta wants you to do, and you should then be logged in through Okta.
- You can also log in via Okta in KeyConfigure, the Okta button should appear in the lower left once you put in the server address and click to the name field (possible short delay). You'll get a web popup window to do your normal Okta login.