Before Security Center can use Okta to authenticate users with OpenID Connect, setup is required in Config Tool and the Okta Admin Console.
This example shows the steps required to set up third-party authentication with Okta using the OpenID Connect (OIDC) UserInfo endpoint. The procedure is divided into the following sections:
To implement third-party authentication, you must have administrator rights in Security Center and Okta.
IMPORTANT: This sample integration might differ from your requirements and the
Okta Admin Console is subject to change. When setting up Okta, ensure that all steps are
adapted to your specific situation.
1 - Preparing Security Center
- Open Config Tool and connect to the Security Center main server as an administrator.
- In Config Tool, open
- In the Creating a role: Authentication Service window,
select OpenID and click Next.
- Enter a name and optional description for the new Authentication Service role
and click Next.NOTE: If your system has multiple partitions, you can also add the new role to a specific partition here.
- On the Summary page, ensure all the information is correct, click Create, and click Close.
- In the newly created role, click the Network endpoint tab.
- On the Network endpoint page, copy the OIDC redirect
and logout URIs. These are needed to configure Okta Sign-in
redirect URIs and Sign-out redirect
URIs.NOTE: You might need to restart the System task to see the endpoint URIs.
2 - Preparing Okta
Before completing these steps in the Okta Admin Console, you must meet all of the
following prerequisites:
- Have an Okta administrator account.
- Have provisioned at least one user.
- Have provisioned at least one user group that contains the users you want to grant access to Security Center.
- In the Okta Admin Console, select Create App Integration.
- In the Create a new app integration wizard, select
OIDC - OpenID Connect, Web
Application, and click Next.
- On the New Web App Integration page, set the following and
click Save:
-
App integration name
-
Sign-in redirect URIs copied from the
redirect URIs in Security Center
-
Sign-out redirect URIs copied from the
logout URIs in Security Center
-
Controlled access select Limit access
to selected groups and add the required groups
-
App integration name
- On the General page for your application, copy the default
Client ID and Client secret.
These are needed to configure Security Center. If required, you can click
Edit to generate a new client secret.
- Click the Okta API Scopes tab for your Security Center application and grant the
okta.groups.read
andokta.users.read
operations.