How to integrate Security Center with Okta using OpenID Connect - Security Center 5.12

Security Center Administrator Guide 5.12
Product
Security Center
Content type
Guides > Administrator guides
Version
5.12
ft:locale
en-US
Last updated
2025-01-28

Before Security Center can use Okta to authenticate users with OpenID Connect, setup is required in Config Tool and the Okta Admin Console.

This example shows how to set up third-party authentication with Okta using the OpenID Connect (OIDC) UserInfo endpoint. The procedure is divided into three sections:

  1. Preparing Security Center
  2. Preparing Okta
  3. Integrating Security Center with Okta
Security Center offers assisted identity provider configuration to ease third-party authentication with Okta. It provides the relevant information needed for the configuration.
NOTE: When you create an Authentication Service role with Provider:Other, Security Center does not offer much assistance in the identity provider configuration.
Creating a role: Authentication Service window in Config Tool shows assisted identity provider configuration.
At each step, the configuration wizard helps you with the following tasks:
  • Locating the properties in the Okta Admin Console
  • Understanding the significance of each property
  • Validating the properties before you can proceed
  • Accessing corresponding help topics

To implement third-party authentication, you must have administrator rights in Security Center and Okta.

IMPORTANT: This sample integration might differ from your requirements and the Okta Admin Console is subject to change. When setting up Okta, ensure that all steps are adapted to your specific situation.

1 - Preparing Security Center

  1. Open Config Tool and connect to the Security Center main server as an administrator.
  2. From the Config Tool homepage, open the System task and click the Roles view.
  3. Click Add an entity () > Authentication Service.
    Add an entity menu in Config Tool, with the Authentication Service role highlighted.

    The Creating a role: Authentication Service window opens.

  4. In the Specific info section, select the identity provider and the authentication protocol and click Next.
    Provider
    Okta
    Protocol
    OpenID Connect
    Creating a role: Authentication Service window in Config Tool, with the Okta identity provider and the OpenID protocol selected.
  5. In the Basic information section, enter a name and optional description for the new Authentication Service role.
    Creating a role: Authentication Service window in Config Tool shows the Basic information fields for Okta.
  6. If there are partitions in your system, select the partition of which this role is a member and click Create.

    Partitions determine which Security Center users have access to this entity. Only users who have been granted access to the partition can see this role.

  7. From the App registration page, copy the redirect and logout URIs.

    For more information, see About role endpoints configuration.

  8. Click Suspend > Save.
    NOTE: The Suspend button allows you to save and exit the configuration wizard temporarily. You can suspend the configuration at any time during the process.

2 - Preparing Okta

Before completing these steps in the Okta Admin Console, you must have the following prerequisites:
  • An Okta administrator account
  • At least one user provisioned
  • At least one user group that contains the users you want to grant access to Security Center
  1. In the Okta Admin Console, select Applications > Applications and then click Create App Integration.
    Okta Admin Console shows the Create App Integration button on the Applications page.
  2. In the Create a new app integration wizard, select OIDC - OpenID Connect, Web Application and click Next.
    Create a new app integration wizard in the Okta Admin Console, with OIDC and Web Application selected.
  3. On the New Web App Integration page, configure the following settings and click Save:
    • App integration name: Enter the name of the App integration.
      New Web App Integration page in the Okta Admin Console, with callouts to App integration name and Grant type.
    • Sign-in redirect URIs: Copy from the redirect URIs in Security Center
      New Web App Integration page in the Okta Admin Console, with a callout to Sign-in redirect URIs.
    • Sign-out redirect URIs: Copy from the logout URIs in Security Center
      New Web App Integration page in the Okta Admin Console, with a callout to Sign-out redirect URIs.
    • Controlled access: Select Limit access to selected groups and add the required groups.
      New Web App Integration page in the Okta Admin Console, with a callout to Controlled access.
  4. On the General page for your application, copy the default Client ID and Client secret.

    These are needed to configure Security Center. If required, you can generate a new client secret.

    General page for web applications in the Okta Admin Console shows client credentials.
  5. Click the Okta API Scopes tab for your Security Center application and grant the okta.groups.read and okta.users.read operations.
    Okta API Scopes page in the Okta Admin Console shows granted operations.
  6. Click Security > API and copy the Issuer URI for the default authorization server.

    This URI is needed to configure Security Center.

    Okta Admin Console shows the Issuer URI on the API page.
  7. Open the default authorization server, click the Claims tab, and click Add Claim.
    Claims page for the default authorization server in the Okta Admin Console shows the Add Claim button.
  8. Add a groups claim as follows and click Create:
    Add Claim window in the Okta Admin Console shows the required settings for Security Center.
    NOTE: The Matches regex filter with .* returns all groups to which the authenticated user belongs.

    If required, you can also use this filter to exclude certain groups from the claim. At least one group assigned to Security Center must be included with the claim to grant access.

3 - Integrating Security Center with Okta

  • Before configuring an Authentication Service in Security Center, you must register the redirect and logout URIs in the Okta Admin Console.
  • The system validates the properties at each step before you can proceed.
  1. In Config Tool, select the Authentication Service role created earlier and click Configuration.

    The App registration page of the Creating a role: Authentication Service window opens and you can resume the configuration.

  2. On the App registration page, click Next.
  3. On the Communicate with provider page, click Start, enter Issuer and Application (client) ID, and click Next.
    Issuer
    Enter the Issuer URI that was copied from the default authorization server in Okta.
    Client ID
    Enter the Client ID that you copied from the Security Center application in Okta.

    Creating a role: Authentication Service window in Config Tool shows the Communicate window provider settings.

  4. In the Metadata section, enter the URL and click Next.

    The URL has the following syntax: https://<OktaIssuerURI>/.well-known/openid-configuration.

  5. On the Accepted domains page, configure the Default provider option:
    • This option is turned off by default. When turned off, you must add at least one domain name of users who can authenticate using this Authentication Service.

      Creating a role: Authentication Service window in Config Tool shows the Accepted domains settings.

    • Turn on the Default provider option to use this identity provider to authenticate users from all domains.

      If you have multiple Authentication Service roles, only one role can be set as the default provider, and this option is disabled for all other roles.

      CAUTION:
      Turning on the Default provider option deletes all domain names that were previously added.
  6. Specify whether or not to use this identity provider as a logon option.

    If you select Yes, enter the name of the identity provider to be displayed on the logon screen with the text "Sign in with <display name>".

  7. Click Next.
  8. (Optional) On the Client authentication page, turn on the Confidential client option to set Security Center as a confidential client of this identity provider.

    The Client secret field appears.

  9. (Optional) In the Client secret field, enter the client secret that was generated in the Okta Admin Console earlier.
  10. Click Next.
  11. On the Claims and scopes page, select the following properties:
    Username claim
    OpenID claim returned by the identity provider that contains the username of the authenticated party.

    Select: preferred_username

    Group claim
    OpenID claim returned by the identity provider that contains the groups the authenticated party belongs to.

    Select: groups

  12. Click Next.
  13. On the Groups page, click Add an item (), select an existing group or create a new user group, and click Next.
    Tip: You can export the list of active users from Okta Admin Console as a CSV file and import the group into Security Center. You can add one or more Security Center user groups with the same name or unique identifier as the groups assigned to the Security Center application in Okta.
  14. On the Test the configuration page, click Test logon to validate the configuration, and click Next.

    For more information, see Testing a third-party authentication setup.

  15. On the Creation outcome page, verify that the information is correct and click Next > Close.
Parent topic: Integration overview for third-party authentication using OpenID Connect
Browse