Okta OpenID Connect
This guide will help you configure Okta and FlexDeploy to work together with OpenID for SSO.
Replace capitalized text in the sample sso.config file with appropriate values. You will need to define an application in your Okta console and update values in the configuration file as shown below.
OKTACLIENTID - get this value from Okta application configuration.
OKTACLIENTSECRET - get this value from Okta application configuration.
OKTADOMAIN - get this value from your Okta domain details.
FLEXDEPLOYHOST - FlexDeploy application host
FLEXDEPLOYPORT - FlexDeploy application port
Example fdsso.config for Okta (OpenID Connect)
Change log
FlexDeploy 6.0.0.0 - The values for
excludedPathMatcher.excludedPath
andlogout.defaultUrl
have changedFlexDeploy 7.0.0.0 - Group mapping for SSO realm was introduced with 7.0, and requires the line
oidcConfig.scope = openid,groups,profile,email
to be added to your configuration.
oidcConfig = org.pac4j.oidc.config.OidcConfiguration
oidcConfig.clientId = OKTACLIENTID
oidcConfig.secret = OKTACLIENTSECRET
oidcConfig.discoveryURI = https://OKTADOMAIN.okta.com/.well-known/openid-configuration
oidcConfig.scope = openid,groups,profile,email
oktaClient = org.pac4j.oidc.client.OidcClient
oktaClient.configuration = $oidcConfig
clients.callbackUrl = https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy/callback
clients.clients = $oktaClient
isAuthenticatedAdmin = org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer
excludedPathMatcher = org.pac4j.core.matching.matcher.PathMatcher
excludedPathMatcher.excludedPath = /next/#/login
config.authorizers = admin:$isAuthenticatedAdmin
config.matchers = excludedPath:$excludedPathMatcher
ssoFilter = flexagon.fd.ui.security.FlexPac4jFilter
ssoFilter.config = $config
ssoFilter.clients = OidcClient
ssoFilter.matchers = nocache
ssoFilter.authorizers = admin
logout = io.buji.pac4j.filter.LogoutFilter
logout.config = $config
logout.localLogout = true
logout.centralLogout = true
logout.defaultUrl = https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy/next/#/home
Here is what configuration looks like in Okta.
Group Mapping with Okta OIDC
Add a group claim in Okta.
Set your filter as desired.
FlexDeploy will find the groups without any modification of the group name attribute.
Â
- style