Okta

Follow these guidelines to configure Okta as an OAuth2 provider for your instance of Toolbox Enterprise.

Prerequisites

You have a valid OneLogin account.
You have created an application.yaml file to configure your Toolbox Enterprise Server.

Create App integration

To enable authorization, the first step is to register Toolbox Enterprise in Okta by creating an app integration through the Admin Console. For more information about the procedure, refer to the Okta documentation.

Open the Okta Admin Console in your browser and log in using your Okta account.
In the main menu, go to Applications | Applications to view current app integrations.
Click Create App Integration.
Select OIDC - OpenID Connect as the sign-in method.
Select Web Application as the application type. Click Next.
In the New Web App Integration form, specify the following details:
- App integration name: specify Toolbox Enterprise.
- Grant type: leave the Authorization Code checkbox selected. Additionally, select the Refresh Token checkbox.
- Sign-in redirect URIs: specify the callback endpoint to redirect the end user - http://<toolbox_enterprise_server_domain.com>/api/login/authenticated.
- Controlled access: select one of the access options for the app integration.
Click Save.

Configure Okta in application.yaml

After creating an app integration in Okta, you need to configure your application.yaml file and specify the OAuth2 provider properties there:

            tbe:
                auth:
                    login-url: "https://<your_Okta_domain>.okta.com/oauth2/v1/authorize"
                    token-url: "https://<your_Okta_domain>.okta.com/oauth2/v1/token"
                    jwt-certs-url: "https://<your_Okta_domain>.okta.com/oauth2/v1/keys"
                    client-id: "your_identifier"
                    client-secret: "your_password"
                    required-scopes: [ "profile", "email", "openid"]
                    root-admin-emails:
                    - "your.company.admin@example.com"
        

login-url

Provide a URL for logging in via Okta.

You can obtain this URL by requesting the Well-known configuration at https://<your_Okta_domain>.okta.com/.well-known/openid-configuration

token-url

Provide a URL for obtaining an authorization token on Okta's side.

You can obtain this URL by requesting the Well-known configuration at https://<your_Okta_domain>.okta.com/.well-known/openid-configuration

jwt-certs-url

Specify a URL to the JSON Web Key (JWK) set that is used to validate JSON Web Tokens (JWT).

You can obtain this URL by requesting the Well-known configuration at https://<your_Okta_domain>.okta.com/.well-known/openid-configuration

client-id

Specify the public identifier for Toolbox Enterprise used in Okta.

To obtain this value, open the app integration details in the Okta Admin Console. You will find the necessary identifier in the Client Credentials section on the General tab.

client-secret

Specify the client secret for Toolbox Enterprise used in Okta.

To obtain this value, open the app integration details in the Okta Admin Console. You will find the necessary secret in the Client Secrets section on the General tab.

required-scopes

Set the value to [ "profile", "email", "openid"].

root-admin-emails

List emails of users that will receive admin rights.

Last modified: 16 April 2024