Configure Okta for Smart API/EcoSys Connect - EcoSys - Administration & Configuration - Hexagon PPM

EcoSys Smart API

Language
English
Product
EcoSys
Search by Category
Administration & Configuration
EcoSys Version
8.7

EcoSys SMART API and EcoSys Connect supports any OAuth2 Token provider. The following section explains how to configure the connection to the token provider (using Okta OAuth2 provider as an example) for use with EcoSys SMART API or EcoSys Connect.

After the connection to Okta is configured, the values for the following settings can be obtained to be used later with the EcoSys SMART API or EcoSys Connect.

  • Token URL

  • Issuer URL

  • Client ID

  • Client Secret

  • Scope

  • JWKS URL

The following instructions are only meant to get started with configuring an authorization server in Okta - they do not provide express or implied guarantee for security.

  1. Login to your Okta.

  2. Navigate to Applications > Applications.

    1. Click the Add Application button.

    2. Click the Create New App button. The Create a New Application Integration screen appears.

    3. Set the platform to oAuth Service and click Create.

    4. Enter an Application name and click Save.

  3. On the General tab under the Client Credentials section, note the Client ID and Client secret values as they will be used later in the EcoSys setup process.

  4. Navigate to Security -> API and click Add Authorization Server button.

    1. In the Add Authorization Server screen, enter the Name, Audience, and Description values and click Save.

  5. For the newly created authorization server, navigate to the Scopes tab and then click Add Scope.

    1. Set the Name field to a version 4 UUID value (Universally Unique Identifier https://www.uuidgenerator.net/), enter a value for Description, and click Save.

      Note the scope Name value as it will be used later in the setup process.

  6. Navigate to the Claims tab. A claim called sub already exists.

    1. Click the pencil icon to update the claim.

    2. Change the Value field to ‘admin’.

      The value ‘admin’ is the username that this claim asserts. In EcoSys context, this corresponds to an ‘admin’ user, so configure it accordingly. In an EcoSys Connect context, this does not correspond to any user.


    3. Click the Save button.

  7. From the newly created authorization server, navigate to the Access Policies tab and then click the Add Policy button.

    1. Enter Name and Description values.

    2. For the Assign To setting, select The following clients option and set it to the Application name created from step 2.

    3. Click the Create Policy button.

  8. For the newly created access policy, click the Add Rule button.

    1. Enter a rule name value.

    2. Leave the Client Credentials option under the Client acting on behalf of itself section unchecked.

    3. Uncheck the Authorization Code, Implicit, and Resource Owner Password options under the Client acting on behalf of a user section.

    4. For the Scopes requested setting, select The following scopes option and enter the Scope Name value from step # 5a.

    5. Click the Update Rule button.

  9. For the newly created authorization server, navigate to the Settings tab and note the URL value set for the Issuer field (for example, https://xyz.okta.com/oauth2/ausp1bwnr0uVptWjS4x.).

    This URL is the Issuer URL and will be used to configure EcoSys and request tokens.

    • For the Token URL, add /v1/token to the end of the Issuer URL. For example, https://xyz.okta.com/oauth2/ausp1bwnr0uVptWjS4x/v1/token

    • For the JWKS URL, add /v1/keys to the end of the Issuer URL. For example, https://xyz.okta.com/oauth2/ausp1bwnr0uVptWjS4x/v1/keys