CommonAdministrationConfigure Platform Authentication via Okta
Configure Platform Authentication via Okta

Configure Platform Authentication via Okta

This guide explains how to configure Okta so that Flowgear can authenticate users via the Okta OpenID Connect integration.

Prerequisites

  • Administrator access to the Okta tenant that will host the application.
  • The base domain that Flowgear uses for your tenant (e.g. https://acme.flowgear.net).

Instructions

1. Configure (or Confirm) the Authorization Server

If you do not have the paid Okta product API Access Management, then you must use org as the Authorization Server.

This can be confirmed in the Okta Console:

  1. On the left panel, click Security then at the bottom, click API.
  2. On the screen that opens, if you do not see the Authorization Server tab, then you must use org.

If you do have the Authorization Server tab

Flowgear targets the Okta default custom authorization server (/oauth2/default), unless you explicitly configure a different server. If you prefer to use a different custom authorization server:

  • Ensure the default authorization server exists. If you plan to use a different/custom server, create it here and record its Name (the identifier that appears in the URL).
  • Ensure the chosen authorization server exposes the openid, profile and email scopes, and that the default policy grants those scopes to the application you will create in the next step.

2. Create the Okta OIDC Application

  1. In the Okta Admin Console, go to ApplicationsApplications, and choose Create App Integration.
  2. Select OIDC - OpenID Connect and Web Application, then click Next.
  3. Provide an application name (e.g. Flowgear).
  4. Under Sign-in redirect URIs, add the Flowgear callback URI: https://app.flowgear.net.
  5. Under Sign-out redirect URIs, add the Flowgear logout URI, which is the same as the Sign-in redirects: https://app.flowgear.net.
  6. Ensure that Client authentication is set to Client Secret.
  7. Under General SettingsGrant type, check Client Credentials and Authorization Code.
  8. Under Assignments, choose whether the application is limited to specific users/groups or available to everyone.
  9. Click Save.

After saving, open the application and copy the following values from the General tab:

  • Client ID
  • Client Secret

We will also need the:

  • Okta domain (visible at the top right of the Okta console; format https://your-domain.okta.com or https://your-domain.okta-emea.com), e.g. https://integrator-7635248.okta.com.
  • Authorization Server ID: This is the specific Authorization Server within your Okta setup to use obtained in Step 1.

These details will be sent to Flowgear Support to be added to your Tenant.

3. Setup the Access Policy with its Rules (Only for default or custom Authorization Servers)

Following on from the Authorization Server is the Access Policy with it's Rules

  1. Once you have created/selected an Authorization Server, click on the name to open it.
  2. Navigate to the Access Policies tab.
  3. Click Add New Access Policy, fill in the Name and Description, and assign it to the selected clients.
  4. Now, click Add rule.
  5. Fill in the Rule Name. Then, adjust the rule options as needed.
  6. Click Create rule.

For assistance with this process, see Okta's Access Policy Configuration Guide.

4. Add a User

  1. In the Okta Admin Console, go to DirectoryPeople and choose Add person.
  2. Fill in the relevant information and click Save.
  3. Click on the new user's name to open their profile.
  4. Click Assign Applications and choose Assign on your application. This gives the user access to the application.

5. Assign Users or Groups to the Application

  1. In the application details page, select the Assignments tab.
  2. Click AssignAssign to People (or Assign to Groups), and add every Flowgear user that should authenticate via Okta.
  3. Confirm the assignments. Users who are not assigned will receive "You are not allowed to access this app" when attempting to sign in.

6. Update the Flowgear Configuration

Provide the following details to Flowgear Support:

Detail Description
Domain The Okta domain from step 2.
AuthorizationServerId Obtained in step 1.
ClientId The client ID created in step 2.
ClientSecret The secret created in step 2.

Please Note

The cluster will need to be restarted once these details have been applied.

Troubleshooting

If the sign-in fails, there is a more detailed error note in the response that is only visible in the network response to "answer" (In the network tab of the dev tools).
For example, it will show: idx.error.code.no_matching_policy in the Json response under the error object.