How to integrate Security Center with Okta using OpenID Connect - Security Center 5.10

Security Center Administrator Guide 5.10
Applies to
Security Center 5.10
Last updated
2023-06-12
Content type
Guides > Administrator guides
Language
English
Product
Security Center
Version
5.10

Before Security Center can use Okta to authenticate users with OpenID Connect, setup is required in Config Tool and the Okta Admin Console.

This example shows the steps required to set up third-party authentication with Okta using the OpenID Connect (OIDC) UserInfo endpoint. The procedure is divided into the following sections:

  1. Preparing Security Center
  2. Preparing Okta
  3. Integrating Security Center with Okta

To implement third-party authentication, you must have administrator rights in Security Center and Okta.

IMPORTANT: This sample integration might differ from your requirements and the Okta Admin Console is subject to change. When setting up Okta, ensure that all steps are adapted to your specific situation.

1 - Preparing Security Center

  1. Open Config Tool and connect to the Security Center main server as an administrator.
  2. In Config Tool, open System > Roles and click Add an entity > Authentication Service.
    Add an entity menu in Config Tool, with the Authentication Service role highlighted.
  3. In the Creating a role: Authentication Service window, select OpenID and click Next.
    Creating a role: Authentication Service window in Config Tool, with the OpenID protocol selected.
  4. Enter a name and optional description for the new Authentication Service role and click Next.
    Creating a role: Authentication Service window in Config Tool showing the Basic information fields for Okta.
    NOTE: If your system has multiple partitions, you can also add the new role to a specific partition here.
  5. On the Summary page, ensure all the information is correct, click Create, and click Close.
  6. In the newly created role, click the Network endpoint tab.
  7. On the Network endpoint page, copy the OIDC redirect and logout URIs. These are needed to configure Okta Sign-in redirect URIs and Sign-out redirect URIs.
    NOTE: You might need to restart the System task to see the endpoint URIs.
    Network endpoint page of the Authentication Service role in Config Tool showing redirect and logout URIs.

2 - Preparing Okta

Before completing these steps in the Okta Admin Console, you must meet all of the following prerequisites:
  • Have an Okta administrator account.
  • Have provisioned at least one user.
  • Have provisioned at least one user group that contains the users you want to grant access to Security Center.
  1. In the Okta Admin Console, select Applications > Applications and then click Create App Integration.
    Okta Admin Console showing the Create App Integration button on the Applications page.
  2. In the Create a new app integration wizard, select OIDC - OpenID Connect, Web Application, and click Next.
    Create a new app integration wizard in the Okta Admin Console, with OIDC and Web Application selected.
  3. On the New Web App Integration page, set the following and click Save:
    • App integration name
      New Web App Integration page in the Okta Admin Console, with callouts to App integration name and Grant type.
    • Sign-in redirect URIs copied from the redirect URIs in Security Center
      New Web App Integration page in the Okta Admin Console, with a callout to Sign-in redirect URIs.
    • Sign-out redirect URIs copied from the logout URIs in Security Center
      New Web App Integration page in the Okta Admin Console, with a callout to Sign-out redirect URIs.
    • Controlled access select Limit access to selected groups and add the required groups
      New Web App Integration page in the Okta Admin Console, with a callout to Controlled access.
  4. On the General page for your application, copy the default Client ID and Client secret. These are needed to configure Security Center. If required, you can click Edit to generate a new client secret.
    General page for web applications in the Okta Admin Console showing client credentials.
  5. Click the Okta API Scopes tab for your Security Center application and grant the okta.groups.read and okta.users.read operations.
    Okta API Scopes page in the Okta Admin Console showing granted operations.
  6. Click Security > API and copy the Issuer URI for the default authorization server. This URI is needed to configure Security Center.
    Okta Admin Console showing the Issuer URI on the API page.
  7. Open the default authorization server, click the Claims tab, and click Add Claim.
    Claims page for the default authorization server in the Okta Admin Console showing the Add Claim button.
  8. Add a groups claim as follows and click Create:
    Add Claim window in the Okta Admin Console showing the required settings for Security Center.
    NOTE: The Matches regex filter with .* returns all groups to which the authenticated user belongs.

    If required, the filter can also be used to exclude certain groups from the claim. At least one group assigned to Security Center must be included with the claim to grant access.

3 - Integrating Security Center with Okta

  1. In Config Tool, open the Authentication Service role that was created earlier, and click the Properties tab.
  2. Complete the properties as follows:
    Display name
    When logging on to Security Center, third-party authentication options are each presented as a button with the text "Sign in with <display name>".
    Issuer
    Enter the Issuer URI that was copied from the default authorization server in Okta.
    Domain names
    The domain names of users who will authenticate using Okta, such as genetec.com. You must have at least one.
    Client ID
    Enter the Client ID that you copied from the Security Center application in Okta.
    Confidential client
    Switch to ON.
    Client secret
    Enter the Client secret that you copied from the Security Center application in Okta.
    Username claim
    Enter: preferred_username
    Group claim
    Enter: groups
    Obtain claims from (advanced setting)
    • Switch Access token to OFF.
    • Switch User info endpoint to ON.

    Leave all other properties with the default value.

  3. Click Apply.
  4. Create one or more user groups with the exact same name as the groups assigned to the Security Center application in Okta.
  5. Add groups authorized to connect using Okta to the User groups list in Authentication Service role.
Parent topic: Integration overview for third-party authentication using OpenID Connect