SSO configuration with OAuth using OKTA

Okta is a secure identity cloud that links all your apps, logins and devices into a unified digital fabric. In this article, we will see how we can use OKTA SSO (OAuth).

Configuring Okta application

You need to have an active account on Okta. Navigate to the dashboard. From the left side menu, go to Applications > Applications

Select Create App Integration and configure the app in following way

  • We will be using a Token based option for Sign-in option and for application type, select Web Application as Dronahq is a Web applictaion. Select these and proceed
  • Now give a suitable name to your application in the App Integration name field.
  • (optional) you can provide a logo for your app.
  • In the Grant type > Client acting on behalf of a user, select Refresh token.
  • For Sign-in redirect URI’s, go back to Studio > manage users > Add OAuth and Copy your OAuth redirect URL

  • Navigate back to Okta dashboard and paste the above URL in Base URIs option
  • In the Controlled access option, select the access option accordingly. For instance if you want a specific group of people to access apps, you can get that done using the “Limit access to selected group” option.

The final view of configurations will be like the one given below

  • Click on Save.
  • After the app gets created, you can see Client Credentials having Client ID and Client Secret. Below this, you can see Okta domain. These will be useful in next stage for studio configuring.

Adding OAuth in Studio

  • Go to Manage Users > SSO Configuration > + Add OAuth Option
  • Provide a Suitable name for OAuth.
  • Add Restricted domain to let DronaHQ know to automatically redirect to SSO url when we encounter any user’s sign in request with an email id belonging to the given restricted domain.
  • Use the Client ID and Client Secret from the dashboard in the two input fields.
  • (optional) Add Scope based on permission you have given to your OAuth Client. openid scope is the most commonly used scope. Scope helps to limit access of apps to specific user groups. For instance, you can limit access to applications in the betal stage to people in your organisation having a Developer role only.

  • For Authorization Request, Use this URL and replace the SAMPLE_DOMAIN with OKTA Domain of your account.

https://SAMPLE_DOMAINL/oauth2/v1/authorize

  • For Access token request and Refresh token request, use the below URL in both inputs and replace the SAMPLE_DOMAIN with OKTA DOMAIN of your app.

https://SAMPLE_DOMAIN/oauth2/v1/token

  • The Add Claim List option helps to claim the information from OKTA. We are using OKTA for SSO so DronaHQ will require some attributes for use like name and Email which are mandatory fields which require to be mapped. Additionally, You can also add User id and Group name. Without even configuring this, you can notice that name and email are already mapped. This happens because of the Scope we specified earlier.

  • At last you can enable the JIT user provisioning. This option makes sure to create a new user if a user from the restricted domain doesn’t already exist.
  • Save the draft. Again navigate back to the SSO configuration option. You can see the newly created OAuth.

  • You can click on Test SSO button and it will open SSO Login url in a popup

  • Once you login successfully and if everything is set up correctly, then finally you will see a success message at the bottom.

  • Now, that testing is successful, you can click on the more option for above SSO configuration and click on Activate to make it live

OAuth in action

Now we check whether the OAuth is working or not.

SImply go to DronaHQ webapp login and fill the email with domain we configured earlier

Instead of asking for password, it asks for Login via IDP. Click on it and open a popup window of okta and the user can login with Okta login credentials.

Go to Manage User section on Studio and you will see the new user created.