Okta OpenID Connect

Owned by Karl Henselin
Last updated: Mar 21, 2024 by Chandresh Patel
2 min read

This guide will help you configure Okta and FlexDeploy to work together with OpenID for SSO.

Replace capitalized text in the sample sso.config file with appropriate values. You will need to define an application in your Okta console and update values in the configuration file as shown below.

  • OKTACLIENTID - get this value from Okta application configuration.

  • OKTACLIENTSECRET - get this value from Okta application configuration.

  • OKTADOMAIN - get this value from your Okta domain details.

  • FLEXDEPLOYHOST - FlexDeploy application host

  • FLEXDEPLOYPORT - FlexDeploy application port

Example fdsso.config for Okta (OpenID Connect)

Change log

  • FlexDeploy 6.0.0.0 - The values for excludedPathMatcher.excludedPath and logout.defaultUrl have changed

  • FlexDeploy 7.0.0.0 - Group mapping for SSO realm was introduced with 7.0, and requires the line oidcConfig.scope = openid,groups,profile,email to be added to your configuration.

oidcConfig = org.pac4j.oidc.config.OidcConfiguration oidcConfig.clientId = OKTACLIENTID oidcConfig.secret = OKTACLIENTSECRET oidcConfig.discoveryURI = https://OKTADOMAIN.okta.com/.well-known/openid-configuration oidcConfig.scope = openid,groups,profile,email oktaClient = org.pac4j.oidc.client.OidcClient oktaClient.configuration = $oidcConfig clients.callbackUrl = https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy/callback clients.clients = $oktaClient isAuthenticatedAdmin = org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer excludedPathMatcher = org.pac4j.core.matching.matcher.PathMatcher excludedPathMatcher.excludedPath = /next/#/login config.authorizers = admin:$isAuthenticatedAdmin config.matchers = excludedPath:$excludedPathMatcher ssoFilter = flexagon.fd.ui.security.FlexPac4jFilter ssoFilter.config = $config ssoFilter.clients = OidcClient ssoFilter.matchers = nocache ssoFilter.authorizers = admin logout = io.buji.pac4j.filter.LogoutFilter logout.config = $config logout.localLogout = true logout.centralLogout = true logout.defaultUrl = https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy/next/#/home

Here is what configuration looks like in Okta.

Group Mapping with Okta OIDC

Add a group claim in Okta.

Set your filter as desired.

FlexDeploy will find the groups without any modification of the group name attribute.

 

The following macros are not currently supported in the footer:
  • style