Set up the Authorization Server - HxGN LiveView - Administration & Configuration

HxGN LiveView Administrator Help

Language
English
Product
HxGN LiveView
Search by Category
Administration & Configuration
VDS Version
3.13
LiveView Version
3

After installing the VDS Web Server component, configure your authorization server for the VDS Web Server. You must then update the VDS settings in the VDS Configuration Utility so that it can connect to the authorization server. Make sure you use the same authorization server type (SAM or Okta) that you used to set up authorization for your client application.

Currently, Smart API Manager and Okta are supported authorization servers. The instructions for each are summarized below. For detailed information on setup and configuration, see Installing Smart API Manager and Configuring Smart API Manager for SAM, or the help information provided with Okta.

Set up Smart API Manager (SAM)

  1. In Smart API Manager (SAM), register your VDS Web Server as a new Smart API with the following information:

    Ways to register your Smart API - the URL for the Smart API service description.

    URL - the URL location of the VDS Web Server: https://[yourservername].[domain.com]/vds/3d/gds/v1

If VDS runs on a port other than the default SSL port (443), that port must be specified in the URL location of the VDS web server. For example, if VDS is configured to run on port 22419, your URL string should be:

https://[yourservername].[domain.com]:22419/vds/3d/gds/v1

Secret - the value generated by the Smart API Manager when creating the Smart API. This is not required for the VDS Web Server.

Service ID - the value generated by the Smart API Manager when creating the Smart API.

  1. Add the same authorized groups used in your solution for other products to the Smart API.

    • If your environment is using Named User authorization as the identity provider, the VDS Smart API must also provide access to the same authorized group.

    • If your environment is using IWA authentication as the identity provider, the VDS Smart API must also provide access to the same authorized group as your client application Smart API.

  2. Record the Resource Identifier (ID) of the registered web API. The identifier is required when editing the VDS Configuration Utility properties in Configure Security Settings for the VDS Web Server.

  3. Return to the VDS Configuration Utility. Replace the default value with the Resource Identifier you just recorded into Security Settings > Audience ID (Service/Resource ID). See Security Settings.

Set Up Okta

Register the Visualization Data Service Application Server as an ‘Application’.

  1. Select the Applications tab and click Add Application.

  2. In the Create New Application screen, select OAuth Service and click Create.

  3. In the General Settings section, enter an Application Name such as ‘VDS Client’ and click Save.

  4. Note the Client ID for the next step.

  5. In the application Web Client, find the Client Application object created earlier (or find the default object that is already in the database) and update it.

  6. Update the Client application ID to match the Client ID value from Okta.

  7. In Okta, find the client application site’s Authorization Server (Security > API > Authorization Servers), select the Access Policies tab, and click Add New Access Policy.

  8. In the Add Policy dialog, set the policy as shown in the following example:

    Name

    Description

    Assign to

    VDS Client Access Policy

    Access policy for VDS Client

    VDS Client

  9. Click Create Policy.

  10. Click Add Rule.

    Rules allow for the configuration of the token lifetime and expiration.

  11. In the Add Rule dialog, set the rules as shown in the following example:

    Option

    Detail

    Rule Name

    VDS Client Token Rule

    IF Grant type is Client acting on behalf of itself

    Client Credentials

    IF Grant type is Client acting on behalf of a user

    AND User is

    Any user assigned the application

    AND Scopes requested

    Any scopes

    THEN Access token lifetime is

    1 Hour

    AND Refresh token lifetime is

    Unlimited

    BUT will expire if not used every

    7 Days

  12. Click Create Rule.

Okta Components

When you complete the Okta setup for the VDS Web Server, your Okta system consists of the components listed below. For detailed installation and setup information, see your Okta documentation.

  • Local Okta Users:

    • Users created as necessary for access to the application web client.

    • One specific user created for user impersonation with a matching user defined in the client application that has your required role assignments.

  • Local Okta Group for the client application user authentication with all required Okta users included in the group.

  • Authorization Server for the client application site with access policies added.

  • Authorization Server for the VDS Web Server with:

    • Access policies that are added for the client application

    • A matching VDS Connection object defined in the client application.

  • Application for the client application using Proof Key for Code Exchange (PKCE) authentication with the local Okta group assigned.