To support OpenID Connect (OIDC)-based Single Sign On (SSO) from Okta, you must first set up an application in Okta. To set up an OIDC-based application in Okta for SSO, perform the steps on this procedure.
Note: If you are in the Developer Console view, then you must switch to the Classic UI view by selecting
Classic UI from the
Developer Console drop-down list.
To create a new application:
In the upper navigation bar, click Applications > Add Application.
The
Add Application screen appears.
Click Create New App.
The
Create a New Application Integration dialog box appears.
From the Platform drop-drop menu, select Web.
Select OpenID Connect as the Sign on method and click Create.
The
Create OpenID Connect Integration screen appears.
Under the General Settings area, in the Application name text box, enter the name for your application.
Under the CONFIGURE OPENID CONNECT area, in the Login redirect URIs text box, enter the redirect URL that your SASE Orchestrator application uses as the callback endpoint.
In the
SASE Orchestrator application, at the bottom of the
Configure Authentication screen, you can find the redirect URL link. Ideally, the
SASE Orchestrator redirect URL will be in this format: https://<Orchestrator URL>/login/ssologin/openidCallback.
Click Save. The newly created application page appears.
On the General tab, click Edit and select Refresh Token for Allowed grant types, and click Save.
Note down the Client Credentials (Client ID and Client Secret) to be used during the SSO configuration in
SASE Orchestrator.
Click the Sign On tab and under the OpenID Connect ID Token area, click Edit.
From the Groups claim type drop-down menu, select Expression. By default, Groups claim type is set to Filter.
In the Groups claim expression textbox, enter the claim name that will be used in the token, and an Okta input expression statement that evaluates the token.
Click Save.
The application is setup in IDP. You can assign user groups and users to your
SASE Orchestrator application.
To assign groups and users to your SASE Orchestrator application:
Go to Application > Applications and click on your SASE Orchestrator application link.
On the Assignments tab, from the Assign drop-down menu, select Assign to Groups or Assign to People.
The
Assign <Application Name> to Groups or
Assign <Application Name> to People dialog box appears.
Click Assign next to available user groups or users you want to assign the SASE Orchestrator application and click Done.
The users or user groups assigned to the
SASE Orchestrator application will be displayed.
Results
You have completed setting up an OIDC-based application in Okta for SSO.