You are here:

Okta OpenID

The following guide is to help the deployment of an Okta OpenID configuration as the authentication provider for Pyramid. Okta is not that different to generic OpenID, but there are some key aspects that are unique.

Note: This feature is only available with Enterprise licensing.

Okta OpenID Setup

Create an OpenID Application

Login to the Okta Administrator page, click Applications > Applications in the menu and then Create App Integration:

Select the two options: OIDC - OpenID Connect and Web Application:

URL Setup

Provide the details for the redirect and sign out URIs. These are the Pyramid instance URLs.

Once you are done, click Save.

Setting up the provider in Pyramid

Open authentication manager in the Pyramid admin console:

In the Admin Console, click Security > Authentication.

The Authentication Provider page opens with the details of your current Authentication Provider displayed.

From the top-right of the page, click Change Provider.

The Change Provider page opens. You will copy the details of your new authentication provider into this page, starting by selecting your Provider.

The details for the form can be found as follows in Okta:

Endpoint URL - Go to Security > API, take the issuer URI.

Client ID - You can find this in the app general tab.

Redirect URL - You take this from your app general tab (although you entered it yourself).

Logout URL - You take this from your app general tab (although you entered in yourself)

JSON Web Keys URI - If you are validating tokens issued by Okta, your JWKS would be: "https://your-okta-domain.com/oauth2/default/v1/keys."

User Provisioning Setup

The Okta OpenID provider can be used for auto provisioning in Pyramid. If you want to use auto provisioning, you will need to set up the app and then specify its settings on the Provider Provisioning tab (green arrow above). For more information, see Okta User Provisioning.

Test

Once all fields are filled, click Test, take the Okta_login_name from the pop up, and copy it into the External ID.

Save your changes

Click Apply to start the provider change-over process. At this stage, the existing users (attached to the previous authentication system) need to be converted over.

Admins will be prompted to either:

Delete all existing users and their local content. When users are deleted by this process, all their private data (the discoveries, publications, and so on that are stored in their My Content Folder) is "soft deleted." Soft deleted files are moved into the Deleted users content folder and can be restored by an admin if needed.
Convert old users to the new provider (through the user conversion wizard), and keep their content

Since this exercise cannot be rolled back once the changes are committed, admins need to step through this exercise carefully.

Click here for a detailed explanation and walkthrough of User Conversion

Feedback

Couldn't find what I was looking for

Help was confusing, unclear or incomplete

Instructions didn't work