Okta User Management

Feature

How to integrate OAuth2 Authentication with Germain using Okta.

Configure

In Okta

1. Sign in to your Okta organization with your administrator account.

2. In the Admin Console, go to Applications > Applications.

3. Select the OpenID Connect (OIDC) or OAuth 2.0 app that needs grants added.

4. Under General Tab, go to Login section.

5. Modify Sign-in redirect URIs according to the below template
   https://<host>:<port>/login/oauth2/code/<client_id>
   
   

   

   
   ex: http://localhost:8080/login/oauth2/code/0oa7asda8tu9esOGL5d7
   Note: Client id can be found in the Client Credentials section on the same tab.
   

6. Make a note of the Client ID, Client Secret from the Client Credentials section. We need these two values when we configure the Germain Authentication Provider.

7. Under the Sign On tab, go to the OpenID Connect ID Token section and update the Groups claim filter as below. This will allow Germain to extract Group information from Okta and map these to Roles configured in Germain. To create Roles in Germain, see here.

i) Map Okta user groups from Group Claims Filter

To map Okta Groups from the user groups filter we can use the below setting.

Group claim type : Filter
Group claim filter : groups   Matches regex.*

ii) Map Active Directory user groups from Group Claims Filter

To map Active Directory Groups from the user groups filter we can use the below setting.

Group claim type : Expression
Group claim filter : groups   Groups.startsWith("active_directory", “Group_Name”, 100)

In Germain

1. Sign in to your Germain application with your administrator account.

2. Go to System > System Settings > Root Config (Advanced)

3. Go to monitoringConfig > systemConfig > authentication
   In AuthenticationConfig we need to set the following:

   1. defaultRedirectPath: workspace URL ( ex: http://localhost:8080/germainapm/workspace/app )

   2. oauthAuthentication: true
      

      

4. Go to System > Auth Settings > Authentication

5. Click on the Plus button to add a new Authentication Provider

6. Select OAuth Provider and click next
   

   

7. Set the provider settings below

   1. Provider Name: Name for your Auth Provider

   2. Client ID: <Client ID Copied from Okta>

   3. Client Secret: <Client Secret Copied from Okta>

   4. Authorization Grant Type:authorization_code

   5. Redirect URI Template:{baseUrl}/login/oauth2/code/{registrationId}

   6. Authorization URI: https://<yourOktaDomain>/oauth2/v1/authorize

   7. Token URI: https://<yourOktaDomain>/oauth2/v1/token

   8. User Info URI:https://<yourOktaDomain>/oauth2/v1/userinfo

   9. JWK Set URI:https://<yourOktaDomain>/oauth2/v1/keys

   10. User Name Attribute:email

   11. JWS Algorithm:

   12. Role List Path: userInfo.claims.groups

   13. Scope values:

       1. openid

       2. profile

       3. email

       4. groups
          

          

          

          
          

8. Click Finish.

9. Restart the tomcat services to make the changes effective.

10. Once done, login page should display Login with Okta oauth provider option.

Service: Authentication

Feature Availability: 8.6.0 or later