After installing the VDS Web Server component, configure your authorization server for the VDS Web Server. You must then update the VDS settings in the VDS Configuration Utility so that it can connect to the authorization server. Make sure you use the same authorization server type (SAM or Okta) that you used to set up authorization for your client application.
Currently, Smart API Manager and Okta are supported authorization servers. The instructions for each are summarized below. For detailed information on setup and configuration, see Installing Smart API Manager and Configuring Smart API Manager for SAM, or the help information provided with Okta.
Set up Smart API Manager (SAM)
-
In Smart API Manager (SAM), register your VDS Web Server as a new Smart API with the following information:
Ways to register your Smart API - the URL for the Smart API service description.
URL - the URL location of the VDS Web Server: https://[yourservername].[domain.com]/vds/3d/gds/v1
If VDS runs on a port other than the default SSL port (443), that port must be specified in the URL location of the VDS web server. For example, if VDS is configured to run on port 22419, your URL string should be:
https://[yourservername].[domain.com]:22419/vds/3d/gds/v1
Secret - the value generated by the Smart API Manager when creating the Smart API. This is not required for the VDS Web Server.
Service ID - the value generated by the Smart API Manager when creating the Smart API.
-
Add the same authorized groups used in your solution for other products to the Smart API.
-
If your environment is using Named User authorization as the identity provider, the VDS Smart API must also provide access to the same authorized group.
-
If your environment is using IWA authentication as the identity provider, the VDS Smart API must also provide access to the same authorized group as your client application Smart API.
-
-
Record the Resource Identifier (ID) of the registered web API. The identifier is required when editing the VDS Configuration Utility properties in Configure Security Settings for the VDS Web Server.
-
Return to the VDS Configuration Utility. Replace the default value with the Resource Identifier you just recorded into Security Settings > Audience ID (Service/Resource ID). See Security Settings.
Set Up Okta
Register the Visualization Data Service Application Server as an ‘Application’.
-
Select the Applications tab and click Add Application.
-
In the Create New Application screen, select OAuth Service and click Create.
-
In the General Settings section, enter an Application Name such as ‘VDS Client’ and click Save.
-
Note the Client ID for the next step.
-
In the application Web Client, find the Client Application object created earlier (or find the default object that is already in the database) and update it.
-
Update the Client application ID to match the Client ID value from Okta.
-
In Okta, find the client application site’s Authorization Server (Security > API > Authorization Servers), select the Access Policies tab, and click Add New Access Policy.
-
In the Add Policy dialog, set the policy as shown in the following example:
Name
Description
Assign to
VDS Client Access Policy
Access policy for VDS Client
VDS Client
-
Click Create Policy.
-
Click Add Rule.
Rules allow for the configuration of the token lifetime and expiration.
-
In the Add Rule dialog, set the rules as shown in the following example:
Option
Detail
Rule Name
VDS Client Token Rule
IF Grant type is Client acting on behalf of itself
Client Credentials
IF Grant type is Client acting on behalf of a user
AND User is
Any user assigned the application
AND Scopes requested
Any scopes
THEN Access token lifetime is
1 Hour
AND Refresh token lifetime is
Unlimited
BUT will expire if not used every
7 Days
-
Click Create Rule.
Okta Components
When you complete the Okta setup for the VDS Web Server, your Okta system consists of the components listed below. For detailed installation and setup information, see your Okta documentation.
-
Local Okta Users:
-
Users created as necessary for access to the application web client.
-
One specific user created for user impersonation with a matching user defined in the client application that has your required role assignments.
-
-
Local Okta Group for the client application user authentication with all required Okta users included in the group.
-
Authorization Server for the client application site with access policies added.
-
Authorization Server for the VDS Web Server with:
-
Access policies that are added for the client application
-
A matching VDS Connection object defined in the client application.
-
-
Application for the client application using Proof Key for Code Exchange (PKCE) authentication with the local Okta group assigned.