Okta OpenID

The following guide is to help the deployment of an Okta OpenID configuration as the authentication provider for Pyramid. Okta is not that different to generic OpenID, but there are some key aspects that are unique.

Note: This feature is available with Enterprise licensing only.

Okta OpenID Setup

Create a OpenID Application

Login to the Okta Administrator page > Applications> Applications > Create App Integration

Check these 2 options, OpenID and web Applicaiton.

URL Setup

Provider details for the redirect URLs and the sign out URLs. These are the Pyramid instance URLs

Once done click on save.

Setting the provider up in Pyramid

Open authentication manager in the Pyramid admin console: Pyramid Admin>Security>Authentication, click the Change Provider button.

The details for the form can be found as follows in Okta.

Endpoint URL- Go to Security > API, take the issuer URI.

Client ID- You can find this in the app general tab.

Redirect URL- You take this from your app general tab (although you entered in yourself)

Logout URL- You take this from your app general tab (although you entered in yourself)

JSON Web Keys URI-If you are validating tokens issued by Okta your JWKS would be: “https://your-okta-domajin.com/oauth2/default/v1/keys

Test

Once all the fields are filled, click test, take the Okta_login_name from the pop up and put it in the External ID, then apply.

User Provisioning Setup

The Okta OpenID provider can be used for auto provisioning in Pyramid. Click here for more details.

Save your changes

Click Apply to start the provider change over process. At this stage, the existing users attached to the previous authentication system need to be converted over.

Admins will be prompted to either:

  • Delete all existing users and delete their content
  • Convert old users to the new provider (through the user conversion wizard), and keep their content

Since this exercise cannot be rolled back once the changes are committed, admins need to step through this exercise carefully.