Breadcrumbs

Okta User Management

Feature

Integrating OAuth2 Authentication with Germain Using Okta

Configuration in Okta

  1. Sign in to your Okta organization as an administrator.

  2. In the Admin Console, go to Applications > Applications.

  3. Select the OpenID Connect (OIDC) or OAuth 2.0 app that needs grants added.

  4. Under the General Tab, navigate to the Login section.

  5. Modify Sign-in redirect URIs according to the template:
    https://<host>:<port>/login/oauth2/code/<client_id>

    • Example: http://localhost:8080/login/oauth2/code/0oa7asda8tu9esOGL5d7

    • Note: You can find the Client ID in the Client Credentials section on the same tab.

      image-20221209-131854.png
      Sign-in reditect URIs for OpenID - Germain UX

  6. Make a note of the Client ID and Client Secret from the Client Credentials section. These values are needed for configuring the Germain Authentication Provider.

    image-20221209-132011.png
    Client ID Secret and Credentials for OpenID - Germain UX

  7. Under the Sign On tab, go to the OpenID Connect ID Token section and update the Groups claim filter as follows. This allows Germain to extract Group information from Okta and map them to Roles configured in Germain.

    Screenshot 2022-12-21 at 13.12.53.png
    Group Claim Filter for OpenID - Germain UX

    • Map Okta user groups from Group Claims Filter:

      • Group claim type: Filter

      • Group claim filter: groups Matches regex .*

    • Map Active Directory user groups from Group Claims Filter:

      • Group claim type: Expression

      • Group claim filter: groups Groups.startsWith("active_directory", “Group_Name”, 100)

        image-20230801-142352.png
        Group Claim Type and Expression- Germain UX

Configuration in Germain

  1. Sign in to your Germain application as an administrator.

  2. Go to System > System Settings > Root Config (Advanced).

  3. Navigate to monitoringConfig > systemConfig > authentication. In AuthenticationConfig, set the following:

    • defaultRedirectPath: workspace URL (e.g., http://localhost:8080/germainapm/workspace/app)

      2e989fcb-0b9f-4d67-a433-ec63ccdd5aa3.png

  4. Go to System > Auth Settings > Authentication.

  5. Click the Plus button to add a new Authentication Provider.

  6. Select OAuth Provider and click next.

    image-20221209-133232.png
    Select OAuth provider - Germain UX

  7. Configure the provider settings:

    • Provider Name: Name for your Auth Provider

    • Client ID: <Client ID Copied from Okta>

    • Client Secret: <Client Secret Copied from Okta> (or empty if using a public OAuth client - note this is not recommended, if Client ID is empty, PKCE is used by default)

    • Authorization Grant Type: authorization_code

    • Redirect URI Template: {baseUrl}/login/oauth2/code/{registrationId}

    • Authorization URI: https://<yourOktaDomain>/oauth2/v1/authorize

    • Token URI: https://<yourOktaDomain>/oauth2/v1/token

    • User Info URI: https://<yourOktaDomain>/oauth2/v1/userinfo

    • JWK Set URI: https://<yourOktaDomain>/oauth2/v1/keys

    • User Name Attribute: email

    • JWS Algorithm: (leave blank)

    • Role List Path: userInfo.claims.groups

    • Scope values: openid, profile, email, groups

    • Use PKCE: enable this to force using PKCE

      Screenshot 2022-12-21 at 13.26.15.png

  8. Click Finish.

  9. Restart the Tomcat services to apply the changes.

  10. If you have any issues with logging in with your OAuth provider after restarting, you can enable DEBUG logging in the REST service for the following package com.germainsoftware.apm.auth.security This will provide additional logging in the REST service log file (when a login attempt is made) to help troubleshoot any configuration issues.

Once completed, the login page should display the "Login with Okta" OAuth provider option.

image-20221209-150930.png
Login with Okta - Germain UX


Service: Authentication

Feature Availability: 8.6.0 or later