Skip to main content

Configuring Okta

You can configure user authentication with Okta as your IdP using OpenID Connect (OIDC).

Note

The users defined in Okta are automatically added to the AtScale Identity Broker when they log in for the first time. All users are added to the everyone group, which includes the query_user role. If you need to add users to other groups or assign them additional roles, you must do so from within the Identity Broker. For more information, see Managing Users with the Identity Broker.

Prerequisites

This procedure assumes you already have an application configured for AtScale in Okta, and that it is configured with OIDC. For more information, refer to the Okta documentation.

Additionally, you must be logged in to Design Center as an admin user.

Configure authentication with Okta

To configure authentication using Okta:

  1. In Design Center, in the sidebar, click Security. The Identity Broker opens.

  2. Log in using your AtScale admin username and password.

  3. Select the atscale realm if it is not already selected.

  4. In the sidebar, select Identity providers, then click OpenID Connect v1.0.

  5. On the Add OpenID Connect provider page, complete the following fields:

    • Alias: Enter a name to uniquely identify this IdP.
    • Display name: Enter a display name for the IdP.

  6. In a new browser tab, log in to the Okta Admin Console and do the following:

    1. Open the application you created for AtScale.
    2. On the General tab, under Client Credentials, copy the Client ID. Make a note of this value, as you will need it while configuring your IdP in the Identity Broker.
    3. Under Client Secrets, copy the client secret for your AtScale application. Make a note of this value, as you will need it while configuring your IdP in the Identity Broker.

  7. Go back to the Identity Broker and complete the following fields:

    • Discovery endpoint: Enter the discovery endpoint for your AtScale application in Okta. This should have the following format: https://<okta_instance_url>/oauth2/default/.well-known/openid-configuration?client_id=<okta_client_id>
    • Client ID: Enter the client ID you copied from Okta.
    • Client Secret: Enter the client secret you copied from Okta.

  8. Click Add. Your IdP is added to the Identity Broker.

  9. Click the IdP to open it.

  10. Expand the Advanced section and do the following:

    • Disable user info: Enable this option.
    • Scopes: Add the following scopes: openid profile email offline_access

  11. Click Save.

  12. Scroll down to the Advanced settings section and enable the Store tokens and Stored tokens readable options.

  13. Click Save.

  14. Enable fine-grained permissions for the IdP:

    1. Go to the Permissions tab and enable the Permissions enabled option.
    2. In the Permissions list section, click the token-exchange permission.
    3. In the Policies field, add the public-api-token-exchange policy.
    4. Click Save.

  15. Test your configuration:

    1. Open a new browser tab and navigate to Design Center. The Sign in to your account window appears.
    2. Click the option to log in with Okta and enter your Okta credentials.

If your IdP is properly configured, you will be logged in successfully.