Okta OpenID
Appcircle supports Okta as OpenID or SAML provider.
Only Enterprise accounts support SSO.
Enable SSO
SSO can only be enabled by the organization's administrator. To start, go to My Organization screen and click the Enable Login button under the APPCIRCLE LOGIN section.
Configure Appcircle and Okta
- Select Setup an OpenID Provider
-
Pick an alias and display name for your organization. Please pick a short and rememberable alias.
-
This screen will auto-generate an URL for the next step
- Login to your Okta account and navigate to Applications and then click "Create App Integration".
- Select "OIDC - OpenID Connect" as Sign In Method and then select Web Application as application type
- Navigate to settings of the app and note, Client ID and Client Secret
- Add the Appcircle Redirect URL to Sign-in redirect URLs
- Instead of writing all the settings of OpenID, you can download the settings file from Okta and upload it.
Download your OpenID configuration file from one of the below locations
https://customer_name_here.okta.com/.well-known/openid-configuration
https://customer_name_here.okta.com/oauth2/default/.well-known/openid-configuration?client_id=<your_client_id>
- Go back to Appcircle, upload this JSON file by clicking the button under Import OpenID configuration
- Check all the settings on this page and confirm that Authorization and Token URLs are imported correctly. Enter your Client ID and Client Secret. Modify the settings as below.
- The Group Claim Name and Role Claim Name fields are optional. Please refer to the SSO Mapping Documentation.
Testing SSO
- When you connect your Identity Provider, please open a new incognito window and test the SSO integration.
- Click the Continue with SSO button.
- Enter the alias you picked.
- You should first see the below confirmation screen.
- After you confirmed account linking, you will get an email.
- You can now access your account with SSO integration when you confirm the email.
- After you enable the SSO, you can only log in to your account with the SSO link. Your old credentials won't work anymore.
When you connect your Identity Provider, please open a new incognito window and test the SSO integration. Please only log off when you can log in with SSO credentials. If the connection doesn't work, you need to review your settings.
SSO Mapping
This step is optional and can be skipped if you do not plan to use SSO Mapping.
- Navigate to the Directory section in the Okta Dashboard, click on Groups, and create the groups as needed.
- Assign users to groups.
- Navigate to the Applications section, click on Applications tab.
- Select your application from the list and navigate to the Sign on tab. Click on Edit for OpenID Connect ID Token.
- Enter Groups claim filter as shown in the image below.
- User roles will be stored in a user attribute.
- Navigate to the Directory section, click on Profile Editor. Select the User (default) from profile list.
- Click on Add Attribute.
- Add a new user attribute as shown in the image below.
- Navigate to the Directory section, click on Profile Editor. Select the Your Application Name User from the profile list.
- Add a new user attribute as shown in the image below.
- Add a new user attribute as shown in the image below.
- Click on Mappings and map user roles attribute to application user roles attribute as shown in the image below.
- Now, you can edit roles attribute of the users.
- Navigate to the Directory section, click on People, select a user from the list, and then click on the Profile tab.
- Click on Edit and update the user's role attribute. For example, set it to 'Manager'.
- Navigate to the Security section, click on API and select Authorization Servers tab.
- Click on default and select Claims tab. Add new claim as shown in the image below.
- Navigate to the Applications section, click on Applications tab. Click on Refresh Application Data.
- Return to Appcircle and then enter Group Attribute Name as
groups
and Role Attribute Name asroles
.
- Now you can define group and role mappings. Please refer to this documentation for guidance.