The following steps describe the minimum required settings in Okta to support EcoSys with Open ID.
Using these instructions, you can only get started with configuring Okta for Open ID, they do not provide express or implied guarantee for security
This section explains how to set up Okta to use OpenID Connect authentication with EcoSys. After completing these steps, you can use the following values in your EcoSys environment.
-
Base URL
-
Client ID
-
Client Secret
Follow these steps:
-
Login to Okta.
-
Go to Applications > Applications and click Add Application.
-
Click the Create App Integration button. The Create a New Application Integration screen appears
-
Select OIDC -Open ID Connect and then Web Application. Click Next.
-
On the new Web Application Integration screen,
-
Enter the App integration name
-
Under Client acting on behalf of a user, check Authorization Code
-
Set the Sign-in redirect URIs to http://ecosys-server:8080/login!doLogin.action
-
Set the Sign-out redirect URIs to http://ecosys-server:8080/logout/
-
Set the Control access.
It is recommended to set this to a Limit access to select groups, members of this group will be allowed to login to EcoSys.
-
-
Click Save.
-
Click the Assignments tab, add any additional Users/Groups from the Okta Directory to the Application to allow them access to EcoSys
-
On the General Tab, under Client Credentials, enter the Client ID and Client Secret.
Te Client ID and Client secret will be used later in the setup process.
-
Click on the Sign On tab. Copy the value from the Issuer field and add /oauth2/default/ to create the BaseUrL. For example, https://domain.okta.com/oauth2/default
-
To allow Okta users to access EcoSys, those users need to be assigned to the application that was created in the above steps. See the Okta documentation for more information.
-
Any user in the OpenID provider must be created in EcoSys with Authentication Mode set to Custom
-
Ecosys considers "preferred_username" as login name that is received as a claim from the token. If "preferred_username" is not available in the token, it considers "sub" received as claim in the token. Then it validates it as login name in its database (Generally it is UserName/Login ID from the provider). The claims that are sent to Ecosys can be configured in openId provider authorization server settings.
-