Before Security Center can use Okta to authenticate users with OpenID Connect, setup is required in Config Tool and the Okta Admin Console.
This example shows the steps required to set up third-party authentication with Okta using the OpenID Connect (OIDC) UserInfo endpoint. The procedure is divided into the following sections:
To implement third-party authentication, you must have administrator rights in Security Center and Okta.
1 - Preparing Security Center
- Open Config Tool and connect to the Security Center main server as an administrator.
- In Config Tool, open
- In the Creating a role: Authentication Service window,
select OpenID and click Next.
- Enter a name and optional description for the new Authentication Service role
and click Next.NOTE: If your system has multiple partitions, you can also add the new role to a specific partition here.
- On the Summary page, ensure all the information is correct, click Create, and click Close.
- In the newly created role, click the Network endpoint tab.
- On the Network endpoint page, copy the OIDC redirect
and logout URIs. These are needed to configure Okta Sign-in
redirect URIs and Sign-out redirect
URIs.NOTE: You might need to restart the System task to see the endpoint URIs.
2 - Preparing Okta
- Have an Okta administrator account.
- Have provisioned at least one user.
- Have provisioned at least one user group that contains the users you want to grant access to Security Center.
- In the Okta Admin Console, select Create App Integration.
- In the Create a new app integration wizard, select
OIDC - OpenID Connect, Web
Application, and click Next.
- On the New Web App Integration page, set the following and
click Save:
-
App integration name
-
Sign-in redirect URIs copied from the
redirect URIs in Security Center
-
Sign-out redirect URIs copied from the
logout URIs in Security Center
-
Controlled access select Limit access
to selected groups and add the required groups
-
App integration name
- On the General page for your application, copy the default
Client ID and Client secret.
These are needed to configure Security Center. If required, you can click
Edit to generate a new client secret.
- Click the Okta API Scopes tab for your Security Center application and grant the
okta.groups.read
andokta.users.read
operations. - Click
- Open the default authorization server, click the Claims
tab, and click Add Claim.
- Add a groups claim as follows and click Create:NOTE: The Matches regex filter with
.*
returns all groups to which the authenticated user belongs.If required, the filter can also be used to exclude certain groups from the claim. At least one group assigned to Security Center must be included with the claim to grant access.
3 - Integrating Security Center with Okta
- In Config Tool, open the Authentication Service role that was created earlier, and click the Properties tab.
- Complete the properties as follows:
- Display name
- When logging on to Security Center, third-party authentication options are each presented as a button with the text "Sign in with <display name>".
- Issuer
- Enter the Issuer URI that was copied from the default authorization server in Okta.
- Domain names
- The domain names of users who will authenticate using Okta, such as genetec.com. You must have at least one.
- Client ID
- Enter the Client ID that you copied from the Security Center application in Okta.
- Confidential client
- Switch to ON.
- Client secret
- Enter the Client secret that you copied from the Security Center application in Okta.
- Username claim
- Enter: preferred_username
- Group claim
- Enter: groups
- Obtain claims from (advanced setting)
-
- Switch Access token to OFF.
- Switch User info endpoint to ON.
Leave all other properties with the default value.
- Click Apply.
- Create one or more user groups with the exact same name as the groups assigned to the Security Center application in Okta.
- Add groups authorized to connect using Okta to the User groups list in Authentication Service role.