search
About CoherentAPI referenceSupportYouTube

Okta (OIDC)

hashtag
Prerequisites

chevron-rightPermissions required for registering and configuring an app in Oktahashtag

The Okta account must have permission to manage applications in Okta. Ideally the Okta account should be in the Super administrator role.

hashtag
Implement Single Sign-On (SSO)

It is recommended to use two separate browser tabs for the Keycloak (K) and Okta (O) portals to make it easier to apply the settings.

  1. (K) Open a new tab in your browser and login to the target Spark tenant. Access the Keycloak console from the User menu.

  2. (K) Login to the Keycloak Admin Console using your admin credentials.

  3. (K) Expand the Add provider dropdown and choose OpenID Connect v1.0.

  4. (K) Fill in values for the Alias and Display Name fields. The Alias should be a lowercase name without special symbols. Please note this Display Name will appear in the button on the Spark login page.

  5. (K) Enter any name in the Display Name field. Please note this Display Name will appear in the button on the Spark login page.

  6. (K) Copy the Redirect URI value.

  7. (O) In a second browser tab, sign in to Okta.

  8. (O) In the left tab, expand Applications and click on Applications.

  9. (O) Click Create App Integration.

  10. (O) For Sign-in method choose OIDC - OpenID Connect and for Application type choose Web Application. Click Next.

  11. (O) Enter a name in the App integration name field.

  12. (O) For Grant type select Authorization Code.

  13. (O) In the Sign-in redirect URIs field, paste the modified Redirect URI.

  14. (O) For Controlled access, select Allow everyone in your organization to access. Check Enable immediate access with Federation Broker Mode then click Save.

  15. (O) Copy the Client ID value.

  16. (K) Return to Keycloak. In the Client ID field, paste the value copied in the previous step.

  17. (O) Switch to Okta. Copy the the Client Secret.

  18. (K) Return to Keycloak. In the Client Secret field, paste the value copied in the previous step.

  19. (O) Switch to Okta. Expand Security on the left pane and click on API.

  20. (O) Click on the name of your authorization to bring up the settings page.

  21. (O) Copy the Metadata URI.

  22. (K) Return to Keycloak. In the Discovery endpoint field, paste the value copied in the previous step.

  23. (K) Click Add.

  24. (K) Expand Advanced.

  25. (K) For the Scopes field, enter openid email profile and click Save.

  26. (O) Okta Authorization Servers require an Access Policy to define which clients (applications) that can request tokens under what conditions. If there is no default Access Policy that applies to all applications, then you must create one for your Okta OIDC app to ensure it can receive tokens.

    1. (O) In the left pane, expand Security, then select API.

    2. (O) Navigate to the Authorization Servers tab and click on the name of your Authorization Server.

    3. (O) Open the Access Policies tab.

    4. (O) Click Add New Access Policy.

    5. (O) Provide a name and description. In the Assign to section, select The following clients, enter the first three letters of your Okta OIDC App, select your app, and click Create Policy.

    6. (O) Click Add Rule.

    7. (O) Enter a name and uncheck Client Credentials and Device Authorization. Leave other settings as default unless your organization requires different values, then click Create Rule.

  27. Navigate to your Spark tenant and sign in using the newly created provider. There will be a button on the Keycloak login page with the display name defined earlier.

hashtag
Configure Okta groups to Spark user groups

It is recommended to use two separate browser tabs for the Keycloak (K) and Okta (O) portals to make it easier to apply the settings. In this guide, we will setup the automatic roles for the tenant-admin role.

  1. (O) In the first tab sign in to Okta.

  2. (O) Expand Directory and click on Groups.

  3. (O) Create a group and prefix it with spark (or any preferred prefix), for example spark-tenant-admin.

  4. (O) Add the test user to the group.

  5. (O) On the left pane, expand Security and click on API.

  6. (O) Make sure Authorization Servers tab is selected and click on the name of the server.

  7. (O) Select Claims and then click Add Claim.

  8. (O) Provide the following values then click Create.

    Key
    Value

    Name

    groups

    Include in token type

    ID token and Always

    Value Type

    Groups

    Filter

    Matches regex and .*

    Include in

    Any scopes

  9. (K) Open a new tab in your browser and login to the target Spark tenant. Access the Keycloak console from the User menu.

  10. (K) Login to the Keycloak Admin Console using your admin credentials.

  11. (K) Select Identity Providers from the left pane and then the identity provider you configured in the previous section.

  12. (K) Select the Mappers tab and then Add mapper.

  13. (K) Provide the following values.

    Name
    Value

    Name

    tenant-admin

    Sync mode override

    force

    Mapper type

    Advanced Claim to Group

  14. (K) Click Add Claims.

  15. (K) Provide the following values:

    Key
    Value

    groups

    tenant-admin

  16. (K) Leave Regex Claim Values as Off (which is the default).

  17. (K) Click Select Group, choose tenant-admin , then click Select.

  18. (K) Click Save.

  19. Sign in into Coherent Spark with your test account. Click on your initials and hover over the groups icon to confirm your membership in tenant-admin.

  20. We highly recommend creating at least a few additional app groups relevant for Private tenantarrow-up-rights:

    • Group for supervisor:pf user accounts. In Spark, supervisor:pf members can manage permissions across all folders.

    • Groups for "standard" user accounts, e.g. user:teamA, user:teamB. These groups can be assigned to the users in your organization not responsible for tenant administration. Creating multiple roles for "standard" user accounts can be useful to separate access between teams.

hashtag
Create a bookmark application for Coherent Spark

See Okta My Apps Dashboard.

Last updated