Okta as RP (OIDC)
|While this use case was validated for accuracy, it can always be improved. To provide feedback, click or in the top right of this page (you must be logged into Backstage).
Estimated time to complete: 20 minutes
In this use case, configure SSO using OIDC with Identity Cloud as the identity provider (IDP) and Okta as the service provider (SP).
After completing this use case, you will know how to do the following:
Configure Identity Cloud as an OIDC identity provider
Configure Okta as a remote SP
Use the Identity Cloud End User UI application dashboard to federate to Okta
Before you start, make sure you have the following:
A basic understanding of:
The Identity Cloud admin UI and Identity Cloud End User UI
Completed the use case Create test users and roles
Access to your test Identity Cloud environment as an administrator
Access to an Okta development environment as an administrator
|This use case requires the use of third-party services. Use your environment-specific details where necessary.
Log in to the Identity Cloud admin UI.
In the Identity Cloud admin UI, go to Applications > Custom Application > OIDC - OpenId Connect > Web.
On the Application Details page, add a web application with the following configuration, and then click Next:
App Logo URI
On the Web Settings page, add the following configuration, and then click Create Application:
Enter a password for the client. Remember the password because you need it to configure Okta.
The Okta client page is displayed.
On the Okta client page, go to the Sign On tab, add the following configuration, and then click Save:
At the end of the General Settings panel, click Show advanced settings, and then Authentication.
Set Token Endpoint Authentication Method to
client_secret_postand click Save.
The configuration should resemble the following examples:
|To require Identity Cloud to ask for consent to share information during authorization flows, deselect Implied Consent.
For more information, refer to Okta’s documentation Create an app at the Identity Provider.
Log in to the administrator interface for your Okta tenant and go to the Dashboard.
On the Okta Admin Console, click Directory > People > Add person and create a user with the same configuration as a user in Identity Cloud. This example uses the following user:
I will set password
User must change password on first login
Select Security > Identity Providers > Add identity providers and add an OpenID Connect IdP provider.
On the Configure OpenID Connect IdP page, add the following configuration, and then click Finish. Leave other fields with the default values:
The password created for
okta_clientin Task 1: Create a custom OIDC application in Identity Cloud
The port number is required for this property.
If no match is found
Create new user (JIT)
Update attributes for existing users
The ForgeRock identity provider page is displayed.
(Optional) Select Edit profile and mappings to change the mapping of attributes from Identity Cloud to Okta.
Enable the ForgeRock identity provider:
On the Okta Admin Console, go to Security > Identity Providers.
On the Routing Rules tab, click Add Routing Rule to redirect requests that meet defined criteria for authentication with Identity Cloud. The following rule redirects all requests from the
ForgeRock Identity Cloud
IF User’s IP is
AND User’s device platform is
AND User is accessing
AND User matches
Domain list on login
THEN Use this identity provider
For other options, refer to Okta’s documentation.
At the Activate Rule prompt, activate the rule immediately.
Now that you have created and configured a custom OIDC application and configured Okta as the SP, validate the configurations by:
Logging in to Okta as an end user
Authenticating to Identity Cloud after redirection
In your browser’s privacy or incognito mode, go to your Okta tenant.
Log in as the user you created in Okta. For example, log in as username
Because the username matches the routing rule created in Task 2: Add Identity Cloud as an IDP in Okta, Okta redirects the request to Identity Cloud for authentication.
If something is wrong, the authorization response contains error information to help you resolve the issue.
Log in to Identity Cloud as the identity you created in Create test users and roles. This example logs in as username
If you deselected Implied Consent in Create a custom OIDC application in Identity Cloud, you are prompted for consent:
Click Allow to give Identity Cloud consent to access Okta resources.
After consenting, you are logged in to Okta.
In a separate incognito browser, return to your Okta tenant.
In the Okta sign in window, enter the email of a user that exists in Identity Cloud but not in Okta. For example, enter username
firstname.lastname@example.org in Create test users and roles.
Okta redirects the request to Identity Cloud for authentication.
Log in to Identity Cloud as a user. For example, log in as username
After successful authentication, the Okta JIT provisions the user
bramanbased on information in the response and logs them in to Okta.
On the Okta Admin Console, click Directory > People and see that
email@example.com been provisioned automatically.
In Okta, manually add users, assign them to apps and groups, and manage their profile.
In Okta, create a client application to use for authenticating and authorizing users.
In Okta, configure routing rules for each of your Identity Providers or for different combinations of user criteria.
Set up and manage applications that work with Identity Cloud.