Documentation
Documentation

Configuring Okta for OpenID Connect (OIDC)

Review and complete the following sections before configuring the iMIS OIDC settings.

Creating an Okta application

In the Okta admin, create an application by doing the following:

  1. Navigate to the Okta admin console.
  2. Click the Admin button to navigate to the developer portal.
Clicking the Admin button
  1. From the navigation, go to Applications > Applications.
  2. Click Create App Integration.
  3. Select OIDC - OpenID Connect, and then select Web Application.
Selecting OIDC - OpenID Connect and Web Application
  1. Click Next.
  2. Enter an App Integration Name. Optionally, upload a Logo.
  3. Enable the following settings:

    1. Grant type:

      • Client acting on behalf of itself - Client Credentials

      • Client acting on behalf of a user - Implicit (hybrid)

      📘

      Note

      The Authorization Code setting is enabled by default.

      Selecting Grant type

    2. Sign-in redirect URLS:

  4. From the Assignments section, enable Skip group assignment for now.
  5. Click Save. Once the app has been created, disable the Allow Access Token with implicit grant type option in the Grant type area of the General tab.
  6. Click Save.
Disable the Allow Access Token with implicit grant type option

Adding users

Each staff user must have a first and last name in the external directory.

📘

Note

Review existing Staff users accounts to ensure they have first and last name fields populated.

To add users to your directory, do the following:

  1. From the navigation, go to Directory > People.
  2. Click Add person.
  3. Enter the required information.
Entering required information on the new user
  1. Click Save or Save and Add Another to continue adding users.

Adding groups

Groups allow you to differentiate between system administrators (SysAdmins), regular staff users, and public users. To add a group and assign users, do the following:

  1. From the navigation, go to Directory > Groups.
  2. Click Add Group.
  3. Enter a Name and optional Description, then click Save.
  4. Click the name link, then click Assign people.
  5. Add your staff users by clicking the plus (+) icon next to their name.
  6. Continue adding users, then click Done when you are finished.
Continuing to add users
🚧

IMPORTANT

Be sure to add separate groups for system administrators, regular staff users, and public users.

Adding claims

Claims allow you to add specific identifiers, such as an email address, to access tokens.

🚧

IMPORTANT

To use OIDC for both staff and public users, you must have claims for each group. A claim for staff users is required. Creating a claim for public users is optional but is recommended as a best practice.

To add a claim for system administrators, do the following:

  1. From the developer portal, go to Security > API.
  2. Click the name link of your Authorization server.
  3. Go to the Claims tab.
Clicking the link to open your Authorization server
  1. Click Add Claim.
  2. Enter a unique name.
  3. Select ID Token from the Include in token type drop-down.
  4. Select Groups from the Value type drop-down.
  5. From the Filter drop-down, select Equals, and enter SysAdmin.
  6. Click Create.
Including the ID Token
  1. Repeat steps 1-5.
  2. Select Access Token from the Include in token type drop-down.
  3. Repeat steps 7-9.
Including the Access Token

To add additional claims for staff and public users, repeat the previous steps, and filter on the corresponding group. Be sure to click Create when you finish configuring each claim. For more information regarding claims, see Add custom claims.

Assigning users to the application

You must add your users to the application for access to be granted to each individual user:

  1. From your application, go to the Assignments tab.
  2. From the Assign drop-down, click Assign to Groups.
  3. Add your Staff users and SysAdmin groups. Alternatively, you can assign individual users using the People button.
Adding Staff users and SysAdmin groups

Testing the token sent to iMIS

The Okta developer portal allows you to preview the token that is sent to iMIS to ensure that the roles are being sent correctly. For example, to preview the SysAdmin token, do the folowing:

  1. From the developer portal, go to Security > API.
  2. Click the name link of your Authorization server.
  3. Go to the Token Preview tab.
  4. Enter your OAuth/OIDC client name. This is the name of your application.
  5. Select Implicit (hybrid) from the Grant type drop-down.
  6. Enter a User.
  7. Select id_token from the Response type drop-down.
  8. From the Scopes field, enter the following:
    • openid
    • profile
    • email
  9. Click Preview Token.
Clicking Preview Token

Configuring iMIS for OIDC settings

After configuring Okta, review and follow Configuring and troubleshooting OIDC settings in iMIS.