How to integrate Security Center with Okta using OpenID Connect - Security Center 5.11

Security Center Administrator Guide 5.11

Product
Security Center
Content type
Guides > Administrator guides
Version
5.11
Language
English
Last updated
2024-12-17

Before Security Center can use Okta to authenticate users with OpenID Connect, setup is required in Config Tool and the Okta Admin Console.

This example shows the steps required to set up third-party authentication with Okta using the OpenID Connect (OIDC) UserInfo endpoint. The procedure is divided into the following sections:

  1. Preparing Security Center
  2. Preparing Okta
  3. Integrating Security Center with Okta

To implement third-party authentication, you must have administrator rights in Security Center and Okta.

IMPORTANT: This sample integration might differ from your requirements and the Okta Admin Console is subject to change. When setting up Okta, ensure that all steps are adapted to your specific situation.

1 - Preparing Security Center

  1. Open Config Tool and connect to the Security Center main server as an administrator.
  2. In Config Tool, open System > Roles and click Add an entity > Authentication Service.
    Add an entity menu in Config Tool, with the Authentication Service role highlighted.
  3. In the Creating a role: Authentication Service window, select OpenID and click Next.
    Creating a role: Authentication Service window in Config Tool, with the OpenID protocol selected.
  4. Enter a name and optional description for the new Authentication Service role and click Next.
    Creating a role: Authentication Service window in Config Tool showing the Basic information fields for Okta.
    NOTE: If your system has multiple partitions, you can also add the new role to a specific partition here.
  5. On the Summary page, ensure all the information is correct, click Create, and click Close.
  6. In the newly created role, click the Network endpoint tab.
  7. On the Network endpoint page, copy the OIDC redirect and logout URIs. These are needed to configure Okta Sign-in redirect URIs and Sign-out redirect URIs.
    NOTE: You might need to restart the System task to see the endpoint URIs.
    Network endpoint page of the Authentication Service role in Config Tool showing redirect and logout URIs.

2 - Preparing Okta

Before completing these steps in the Okta Admin Console, you must meet all of the following prerequisites:
  • Have an Okta administrator account.
  • Have provisioned at least one user.
  • Have provisioned at least one user group that contains the users you want to grant access to Security Center.
  1. In the Okta Admin Console, select Applications > Applications and then click Create App Integration.
    Okta Admin Console showing the Create App Integration button on the Applications page.
  2. In the Create a new app integration wizard, select OIDC - OpenID Connect, Web Application, and click Next.
    Create a new app integration wizard in the Okta Admin Console, with OIDC and Web Application selected.
  3. On the New Web App Integration page, set the following and click Save:
    • App integration name
      New Web App Integration page in the Okta Admin Console, with callouts to App integration name and Grant type.
    • Sign-in redirect URIs copied from the redirect URIs in Security Center
      New Web App Integration page in the Okta Admin Console, with a callout to Sign-in redirect URIs.
    • Sign-out redirect URIs copied from the logout URIs in Security Center
      New Web App Integration page in the Okta Admin Console, with a callout to Sign-out redirect URIs.
    • Controlled access select Limit access to selected groups and add the required groups
      New Web App Integration page in the Okta Admin Console, with a callout to Controlled access.
  4. On the General page for your application, copy the default Client ID and Client secret. These are needed to configure Security Center. If required, you can click Edit to generate a new client secret.
    General page for web applications in the Okta Admin Console showing client credentials.
  5. Click the Okta API Scopes tab for your Security Center application and grant the okta.groups.read and okta.users.read operations.