AE initiated SSO with Okta using OpenID Connect
The topic shows how to get the required parameters and key configurations to set up AutomationEdge SSO with Okta. Following are the required parameters for Okta Single Page Application (SPA):
• Identity Provider Issuer
• Identity Provider Endpoints
• Login/Logout redirect URIs
• Client ID
• Client Secret: The parameter is also required for the Okta web application.
To configure Okta Identity Provider and fetch the required parameters:
-
Go to Okta login page. Enter your login username and password.
-
Click Sign In. The Okta landing page appears.
-
On the landing page, complete the following steps:
i. Click the Applications tab, and then select Applications in the list. The Applications page appears.
ii. On the Applications page, click Add Application. The Add Application page appears.
iii. On the Add Application page, click Create New App. The details page appears.
-
In the Create a New Application Integration dialog:
i. In the Platform list, select Single Page App (SPA), and then choose OpenID Connect.
Note:AutomationEdge SSO with Okta supports Web or Single Page App (SPA) applications.
ii. Click Create. The Create OpenID Connect Integration page appears.
-
In the Create OpenID Connect Integration page, enter SPA configuration details, as required. For example, Application name: My SPA.
-
Click Save. The application with all the parameters is created.
-
Click Back to Application. The app appears on the Applications page.
Note:You can similarly create a Web application, selecting Web as the application platform.
-
On the Applications page, click the application link for which you want to fetch the parameters for SSO configuration. For example, the application, My SPA.
To fetch the parameters for SSO configuration:
-
On the selected application page, click the Assignments tab. Click Assign, the list appears.
-
In the list, select Assign to People, and then map the Okta user to the AE user. The assigned AE users appear in the Assignments -> Assign -> People list.
-
Click the General tab and the General Settings page appears. Enter the Login redirect URIs and the Client ID details.
Note:Make sure that the login and logout URLs are the same. For example,
https://AutomationEdge:{Port}/aeui. -
On the Applications page, click Security. The options appear.
-
In the options, click API, and then click Authorization Servers tab -> Default link. The default link page appears.
-
In the Settings tab, click the Metadata URI link. The JSON file appears.
Note:Summarizing the steps to fetch Endpoints JSON, in the Okta Developer Console, go to Security -> API -> Authorization Servers. In the Name column, select the default link, and then click the Metadata URL link to view the Endpoints JSON.
-
In the Authorization Servers tab -> Default link, copy the Metadata URI and paste it in a new browser window.
Edit the URL and replace oauth-authorization-server with opened-configuration.
Copy the metadata and paste it in the Import from json dialog in AEUI.
Note:For details about Import from json dialog, see Settings -> Single Sign-On section in the AutomationEdge User’s guide.
-
In Okta, click Claims tab -> Add Claim, and then enter a name for the claim and configure the claim details. The values expression for the list of claims used in AutomationEdge may change for different Identity Providers (IDP). The following table shows the claims for Okta IDP:
Name Values (case sensitive) uniqueId user.username firstName user.firstName lastName user.lastName emailAddress user.email Note:uniqueId, firstName, and lastName are mandatory attributes. Therefore, you must enter a value for the attributes.
This is Okta Expression Language syntax to generate values derived from attributes in Universal Directory and app profiles. To validate an expression, use the Token Preview tab.
In Web applications, you additionally need a Client Secret.
To get the client secret, click your Web application → General tab and then scroll to view and get the Client Secret along with other configuration parameters