Configuring SSO for Okta OIDC

Owned by Enterprise IT
May 08, 2024
5 min read


What is OpenID Connect (OIDC)?
A simple identity layer on top of the OAuth 2.0 protocol is OpenID Connect 1.0. Based on the authentication carried out by an Authorization Server, it enables clients to acquire basic profile information about the End-User in an open and REST-like manner. The authentication includes the Client ID, Redirect URL, ACS URL, Logo, two-factor authentication (mail and OTP) and actions.
In the Summit portal, Admin can configure SSO for OIDC from the Okta SSO configuration page and enable the OIDC capability for logging into different applications. It enables seamless login into several web applications and secures the online identity of businesses and customers.

Benefits

  • Lowers the potential for password security breaches.
  • Speeds up sign-up procedures.
  • Grants greater control on online identity.
  • Sets a single primary account to sign into various websites.


Configuration in SymphonyAI Summit Application

Before performing SSO configuration, the Admin to add a value named email and map under the Master type OAuthResponseKey.
Configuring OAuthResponseKey under Common Master for Response Attributes*Configuring Master type *OAuthResponseKey under Common Master - Response Attribute

To configure Discovery Protocol, perform the following steps:

  1. Select Admin > Basic > Infrastructure > Common Masters > Common Master Configuration.
  2. On the COMMON MASTERS page, click ADD NEW on the ACTIONS panel.
  3. Select the Master Type as OAuthResponseKey from the drop-down list and enter the Value as email in the text field. (The value (email) specified is all small letters and not plural)
  4. Type in the Sort Order. Select the Active check box to make it an active master value.
  5. Click SUBMIT. A new Common Master value is configured for OAuthResponseKey.


Figure:  Common master - OAuthResponseKey

Field Description

The following table describes the fields on the COMMON MASTER TYPES page:

Field

Description

Master Value

Type in the Master Value that you want to see while configuring common masters on the COMMON MASTERS page.

Parent

Select the required parent from the drop-down list.

Specific to Domain?

If selected, the master value becomes domain specific.

Active

If selected, the configuration becomes active.


For more information about Common Master configuration, see Configuring Common Master Types.


Prerequisites to be performed in Okta Portal  

  1. Sign up in Okta portal using https://www.okta.com/developer/signup/.

    Figure:  Sign up

  2. Click Get Started. Your login URL is displayed. Login to Okta using this URL. You will receive a confirmation mail. Set your password by clicking this link.


    Figure:  Okta URL

  3. Specify your User Name and Password and click Sign In.

    Figure:  Okta Login page

  4. On the top menu, select Security > API.

    Figure:  Security Menu

  5. On the API page, click Authorization Servers.

    Figure:  API Page

  6. On the Add Authorization Server pop-up page, Specify Name, Audience, and Description.
    For more information about these fields, refer https://developer.okta.com/authentication-guide/implementing-authentication/set-up-authz-server.html.

    Figure:  Add Authorization URL Pop-up page

  7. Under the Settings section, the issuer field is displayed. Store this URL securely.

    Figure: Settings section

    Note

    The Issuer URL displayed here should be entered in the Authorization URL, Access Token URL, and User Info URL fields of SymphonyAI Summit application.

8. Select Access Policies and click Add Policy. The Add Policy pop-up page is displayed.
Figure:  Add Policies pop-up page

9. On the Add Policy pop-up page, specify the Name, and Description and click Create Policy.

Figure:  Add Policy page.

10. On the Add New Access Policy page, create Add Rule.
Figure:  Add New Access Policy Page

11. On the Add Rule pop-up page, specify the Rule Name and click Create Rule.
Figure:  Add Rule Pop-up page

12. On the top menu, hover your mouse over Applications and select Applications.

Figure:  Applications

13. On the Applications page, click Add Application and then click Create New App.
Figure:  Add Application

14. On the Create New Application pop-up page, select the platform as Web and Sign On Method as OpenID Connect.
Figure:  Create New App page

15. On the Create OpenID page, specify the Application Name and the Redirect URL.

Figure:  Create OpenID page

Note

The Redirect URL specified here should be entered in the Redirect URL field of SummitAI application.


16. On the General Settings Page, click Edit and select all the available options under Allowed grant types. The Client ID and Client Secret are displayed under Client Credentials section. Store them securely.

Figure:  General Settings page

Note

The Client ID and Client Secret displayed here should be entered in the Client Id and Client Secret Key fields of SymphonyAI SummitAI application.


17. You can add multiple People or Groups to the application under the Assignments section.

Figure:  Add Assignment page


Configuring SSO for Okta OIDC

To Configure SSO for Okta OIDC from the SymphonyAI Summit application, perform the following steps:

  1. Select Admin > Basic > Infrastructure > SSO Configuration. The SSO CONFIGURATION page is displayed.
  2. On the SSO CONFIGURATION page, select OAuth under the Authentication Type and click ADD NEW on the ACTIONS Panel.


     Figure:  SSO Configuration: OIDC_Okta

  3. Specify the required details and click SUBMIT. For more details about the fields on the SSO CONFIGURATION page, see Field Description.

Field Description 

The following table describes the fields on the SSO CONFIGURATION page:

Fields

Description

Domain

Select the domain name from the list. The Facebook OAuth-based authentication will be configured for the selected domain.
Note: This field is not visible for single-domain users.

URL

Specify the Mobile Web Service URL. Example: https://baseurl/mobilews

Grant Type

Select the Grant Type as Authorization Code from the drop-down list.

Authorization URL

Specify the following Authorization URL: urlfromoktaportal/v1/authorize

Access Token URL

Specify the following Access Token URL: urlfromoktaportal/v1/token

Client ID

Specify the Client ID. This is the Application ID from the Okta portal. Refer to the Prerequisites section for more information about this field.

Client Secret Key

Specify the Client's Secret Key. This is the Password generated from the Okta portal.

User Information URL

Specify the following User Information URL: urlfromoktaportal/userinfo

Redirect URL

Specify the Redirect URL. This is the same URL you have specified in the Redirect URL field of the Okta portal. E.g.: https://baseurl/SUMMIT_SAMLResponse.aspx

ACS URL

Specify the ACS URL.

Include ACS URL

If selected, the ACS URL is included.

Scope

Specify the scope as _openid profile email._OIDC configuration screen was missing for this.Added the relevant screen shotpl add the snip of the screen shot provided on the call.Changed the screen
not this, OIDC config screen.ok


Are you referring to this screen?
Figure: OIDC configuration screen

Response Attribute

Specify the Response Attribute as email.

User Creation

Upon enabling this checkbox, the user is created if that user is not available in the SymphonyAI Summit database but wants to login into the Summit application using the OIDC_Okta authentication method.

Time Zone

Select the time zone from the drop-down list. The selected time zone will be assigned to the newly created user. Note: This field is displayed only when the User Creation checkbox is enabled.

Template Name

Select the role template from the list. The selected role template will be assigned to the newly created user.
Note: This field is displayed only when the User Creation checkbox is enabled.

Logo

Upload a logo. The uploaded logo is displayed on the Login Screen. The logo image width should be less than 300px and the height should be less than 48px. Supported Image formats are .gif, .jpeg, .jpg, .png, and .bmp.


For more information on SSO Configuration, see SSO Configuration: OAuth.
Note
Below items must be configured on customer end:

  • OIDC Scope must be configured at the customer's OIDC provider end.
  • Ensure that OIDC Scope configured is specified as: openid profile email with a space separator and all letters small.