Universal Policy Administrator Documentation
Configuring OIDC Authentication with OKTA
- Install the UPA Gatekeeper/Gateway.
- Create and configure an OKTA Application for UPA
- In the OKTA console, click “Create App Integration”
- Select Sign-in Method: OIDC – Open ID Connect
- Select Application Type: Web Application
- Specify an application name
- Select grant types “Authorization Code”, “Refresh Token” and “Implicit (hybrid)
- Set Sign-in redirect URI: https://<gatekeeper>/Portal/SSO/OIDC
- Set Sign-out redirect URI: https://<gatekeeper>/Portal/SSO/Logout
- Set user/group assignments as desired.
- In the OKTA console, click “Create App Integration”
- Configure UPA to use OIDC authentication.
- You will need the Client ID from the OKTA Application properties.
- In the UPA owner portal, SSO page, click “Add OIDC Provider”, and configure the following settings:
- Provider Name: Specify a name for this identity provider.
- Tenancy ID: Must be 1.
- Is Default: Set to checked.
- Provisioning Mode: Automatic Provisioning
- Config URL: https://${yourOktaDomain}/.well-known/openid-configuration (see https://developer.okta.com/docs/reference/api/oidc/#well-known-openidconfiguration)
- Client ID: The Application (client) ID
- Configure Claims Mapping: Click “Configure Claims Mapping” and set the following values:
- Match login claims to users using this property: EmailAddress
- Unique ID: email
- Username: email
- Email Address: email
- Click Save Changes.
- Automatic Provisioning:
- Configure SCIM provisioning
- OKTA does not currently support SCIM provisioning for OIDC applications. In order to use OKTA provisioning, you must create a SAML Application in OKTA.
- Create an additional Application in OKTA. Choose SAML 2.0.
- Specify a name for the application. Specify the gatekeeper URL in the required URL fields (these values will not be used, because this App will only be used for provisioning, not authentication). Check “Enable SCIM Provisioining” and “Do not display application icon to users”.
- In the Provisioning/Integration tab, set the following values:
- Scim Connector Base URL: https:///api/scim
- Unique Identifier field for Users: username
- Push New Users
- Push Profile Updates
- Push Groups
- Authentication Mode: Http Header
- Token: <the SCIM token from UPA>
- Under Provisioning/To App/Attribute Mappings, remove the following mappings:
- Manager Value
- Employee Number
- Cost Center
- Organization
- Division
- Department
- Manager Display Name
- Click “Save Changes”.
- Click “Force Sync”
- Alternatively, instead of Automatic Provisioning, you can use JustInTime provisioining to enable JustInTime provisioning:
- In the OKTA console, in Directory/Profile Editor, create a custom attribute “UPARole” (the name of the attribute doesn’t matter).
- Add a mapping for the custom property to the Application profile for the application.
- Populate the UPARole for each user with the name of a role assignment in UPA.
NOTE: When the user attempts to log in to the UPA console, a SCIM user will be created for them, if one doesn’t already exist. If the SCIM user has not been assigned to any roles, it will be assigned to the role specified in the UPARole property.
- In the UPA owner portal, set the provider’s ProvisioiningMode to “JustInTime”.
- For additional properties enter: scope “openid email profile”
- Add the following Attribute Mappings:
- DisplayName=”name”
- Email=”email”
- UserName=”email”
- RoleAssignment=”UPARole”
- Assign UPA Global Administrator role
- Wait for the initial provisioning cycle to complete. Once the provisioning cycle has completed, go to the UPA owner portal, SSO page, and select the “List Users” button for the OIDC provider.
- Confirm that the users/groups have been imported correctly, then select the user to grant Global Administrator permissions to, and click “Set User as Global Admin”.