Feature

How to integrate OAuth2 Authentication with Germain using Okta.

Configure

In Okta

  1. Sign in to your Okta organization with your administrator account.

  2. In the Admin Console, go to Applications > Applications.

  3. Select the OpenID Connect (OIDC) or OAuth 2.0 app that needs grants added.

  4. Under General Tab, go to Login section.

  5. Modify Sign-in redirect URIs according to the below template
    https://<host>:<port>/login/oauth2/code/<client_id>


    ex: http://localhost:8080/login/oauth2/code/0oa7asda8tu9esOGL5d7
    Note: Client id can be found in the Client Credentials section on the same tab.

  6. Make a note of the Client ID, Client Secret from the Client Credentials section. We need these two values when we configure the Germain Authentication Provider.

7. Under the Sign On tab, go to the OpenID Connect ID Token section and update the Groups claim filter as below. This will allow Germain to extract Group information from Okta amd map these to Roles configured in Germain. To create Roles in Germain, see here.

In Germain

  1. Sign in to your Germain application with your administrator account.

  2. Go to System > System Settings > Root Config (Advanced)

  3. Go to monitoringConfig > systemConfig > authentication
    In AuthenticationConfig we need to set the following:

    1. defaultRedirectPath: workspace URL ( ex: http://localhost:8080/germainapm/workspace/app )

    2. oauthAuthentication: true

  4. Go to System > Auth Settings > Authentication

  5. Click on the Plus button to add a new Authentication Provider

  6. Select OAuth Provider and click next

  7. Set the provider settings below

    1. Provider Name: Name for your Auth Provider

    2. Client ID: <Client ID Copied from Okta>

    3. Client Secret: <Client Secret Copied from Okta>

    4. Authorization Grant Type:authorization_code

    5. Redirect URI Template:{baseUrl}/login/oauth2/code/{registrationId}

    6. Authorization URI: https://<yourOktaDomain>/oauth2/v1/authorize

    7. Token URI: https://<yourOktaDomain>/oauth2/v1/token

    8. User Info URI:https://<yourOktaDomain>/oauth2/v1/userinfo

    9. JWK Set URI:https://<yourOktaDomain>/oauth2/v1/keys

    10. User Name Attribute:email

    11. JWS Algorithm:

    12. Role List Path: userInfo.claims.groups

    13. Scope values:

      1. openid

      2. profile

      3. email

      4. groups


  8. Click Finish.

  9. Restart the tomcat services to make the changes effective.

  10. Once done, login page should display Login with Okta oauth provider option.