The following steps detail creating an OpenID Connect Client in Okta. The setup should be performed from an administrator account in Okta.
-
Access Okta with an Administrator account.
-
Navigate to Applications menu, and then click Create App Integration.
-
In the wizard, select the OIDC radio button as the Sign-In method and select Native Application as the Application Type and click Next.
-
Provide the App Integration Name.
-
In the Grant type section, select the Authorization Code and Resource Owner Password check boxes.
-
In the Sign-in redirect URIs, click Add URI and add a Redirect URI. This could be something like <protocol>://<eam-server>/axis/services/EWSConnector. This will be the URI to which the authentication request will be redirected to along with an authorization code in the authorization code grant flow of OpenID Connect.
-
In the Assignments section, select the appropriate option, and then click Save.
-
Once the application is created, navigate to the General tab, and then in the Client Credentials section, click Edit.
-
Select the Client Secret radio button, and then click Save. This will generate a new Client Secret.
Note the Client ID and Client Secret generated.
-
Un-select the Require PKCE as additional verification.
-
From the left menu, navigate to the API sub-menu under Security.
-
Click Add Authorization Server.
-
Provide values for Name, Audience, and Description, and then click Save.
-
Navigate to the Claims tab.
-
Click Add Claim to add the following claims:
Name
Include in token type
Value type
Value
Identity2
ID Token (Always)
Expression
user.login
email-id
ID Token (Always)
Expression
user.email
UserDescription
ID Token (Always)
Expression
user.fullName
SecurityRole
ID Token (Always)
Expression
“EAM-Administrator”
‘EAM-Administrator’ should be replaced with an appropriate EAM role name.
-
Navigate to the Access Policies tab, and then click Add New Access Policy.
-
Provide Name and Description, select the “The following Clients” radio button, and then select the Client Application created at step 8, and then click Create Policy.
-
Click Add rule, and then provide a rule name. Ensure that the Authorization Code and Resource Owner Password are selected, and then click Create Rule.
-
Copy the Metadata URI from the Settings tab. This will have the required metadata information about the OIDC configuration.
See https://developer.okta.com/docs/reference/api/oidc/#endpoints for more details on Okta configuration.