PingOne Advanced Identity Cloud

Okta as RP (OIDC)

While this PingOne Advanced Identity Cloud use case was validated for accuracy, it can always be improved. To provide feedback, click thumb_up or thumb_down in the top right of this page (you must be logged into Backstage).

Description

Estimated time to complete: 20 minutes

In this use case, configure SSO using OIDC with Advanced Identity Cloud as the identity provider (IDP) and Okta as the service provider (SP).

Goals

After completing this use case, you will know how to do the following:

  • Configure Advanced Identity Cloud as an OIDC identity provider

  • Configure Okta as a remote SP

  • Use the Advanced Identity Cloud end-user UI application dashboard to federate to Okta

Prerequisites

Before you start, make sure you have the following:

  • A basic understanding of:

    • The Advanced Identity Cloud admin UI and Advanced Identity Cloud end-user UI

    • SSO (Federation)

    • OIDC

  • Completed the use case Create test users and roles

  • Access to your test Advanced Identity Cloud environment as an administrator

  • Access to an Okta development environment as an administrator

Tasks

This use case requires the use of third-party services. Use your environment-specific details where necessary.

Task 1: Create a custom OIDC application in Advanced Identity Cloud

  1. Log in to the Advanced Identity Cloud admin UI.

  2. In the Advanced Identity Cloud admin UI, go to apps Applications > add Custom Application > OIDC - OpenId Connect > Web.

  3. On the Application Details page, add a web application with the following configuration, and then click Next:

    Field Value

    Name

    okta_client

    Description

    Okta client

    Owners

    App Owner

    App Logo URI

    https://www.okta.com/sites/default/files/Okta_Logo_BrightBlue_Medium-thumbnail.png

  4. On the Web Settings page, add the following configuration, and then click Create Application:

    Field Value

    Client ID

    okta_client

    Client Secret

    Enter a password for the client. Remember the password because you need it to configure Okta.

    The Okta client page is displayed.

  5. On the Okta client page, go to the Sign On tab, add the following configuration, and then click Save:

    Field Value

    Sign-in URLs

    https://<okta-tenant-env-fqdn>/oauth2/v1/authorize/callback

    Grant Types

    Authorization Code

    Scopes

    openid, profile, email

  6. At the end of the General Settings panel, click Show advanced settings, and then Authentication.

  7. Set Token Endpoint Authentication Method to client_secret_post and click Save.

    The configuration should resemble the following examples:

    Add Okta client
    Add Okta client
    Add Okta client
To require Advanced Identity Cloud to ask for consent to share information during authorization flows, deselect Implied Consent.

Task 2: Add Advanced Identity Cloud as an IDP in Okta

Refer to Okta’s documentation on how to Create an app at the Identity Provider.

  1. Log in to the administrator interface for your Okta tenant and go to the Dashboard.

  2. On the Okta Admin Console, click Directory > People > Add person and create a user with the same configuration as a user in Advanced Identity Cloud. This example uses the following user:

    Field Value

    Username

    acruse

    First Name

    alex

    Last Name

    cruse

    Email Address

    alex.cruse@example.com

    I will set password

    Enable

    Password

    Secret12!

    User must change password on first login

    Disable

  3. Select Security > Identity Providers > Add identity providers and add an OpenID Connect IdP provider.

  4. On the Configure OpenID Connect IdP page, add the following configuration, and then click Finish. Leave other fields with the default values:

    Field Value

    Name

    ForgeRock

    IdP Usage

    SSO only

    Scopes

    email, openid, profile

    Client ID

    okta_client

    Authentication type

    Client secret

    Client Secret

    Issuer

    https://<tenant-env-fqdn>:443/am/oauth2/alpha

    The port number is required for this property.

    Authorization endpoint

    https://<tenant-env-fqdn>/am/oauth2/alpha/authorize

    Token endpoint

    https://<tenant-env-fqdn>/am/oauth2/alpha/access_token

    JWKS endpoint

    https://<tenant-env-fqdn>/am/oauth2/alpha/connect/jwk_uri

    Userinfo endpoint

    https://<tenant-env-fqdn>/am/oauth2/alpha/userinfo

    If no match is found

    Create new user (JIT)

    Profile Source

    Update attributes for existing users

    The ForgeRock identity provider page is displayed.

  5. (Optional) Select Edit profile and mappings to change the mapping of attributes from Advanced Identity Cloud to Okta.

  6. Enable the ForgeRock identity provider:

    1. On the Okta Admin Console, go to Security > Identity Providers.

    2. On the Routing Rules tab, click Add Routing Rule to redirect requests that meet defined criteria for authentication with Advanced Identity Cloud. The following rule redirects all requests from the example.com domain:

      Field Value

      Rule Name

      PingOne Advanced Identity Cloud

      IF User’s IP is

      Anywhere

      AND User’s device platform is

      Any device

      AND User is accessing

      Any application

      AND User matches

      Domain list on login

      example.com

      THEN Use this identity provider

      ForgeRock

      For other options, learn more in Okta’s documentation.

    3. At the Activate Rule prompt, activate the rule immediately.

      Routing rule
      Check in

      At this point, you:

      Created and configured a custom OIDC application in Advanced Identity Cloud for SSO with Okta

      Configured Okta to redirect requests to Advanced Identity Cloud for authentication. After successful authentication, return the request to Okta.

Validation

Now that you have created and configured a custom OIDC application and configured Okta as the SP, validate the configurations by:

  • Logging in to Okta as an end user

  • Authenticating to Advanced Identity Cloud after redirection

Validate your work with an identity that exists in Advanced Identity Cloud and Okta

  1. In your browser’s privacy or incognito mode, go to your Okta tenant.

  2. Log in as the user you created in Okta. For example, log in as username alex.cruse@example.com.

    Because the username matches the routing rule created in Task 2: Add Advanced Identity Cloud as an IDP in Okta, Okta redirects the request to Advanced Identity Cloud for authentication.

    If something is wrong, the authorization response contains error information to help you resolve the issue.

  3. Log in to Advanced Identity Cloud as the identity you created in Create test users and roles. This example logs in as username acruse password Secret12!.

    If you deselected Implied Consent in Create a custom OIDC application in Advanced Identity Cloud, you are prompted for consent:

    Add new role
  4. Click Allow to give Advanced Identity Cloud consent to access Okta resources.

    After consenting, you are logged in to Okta.

    Success

Validate your work with an identity that exists in Advanced Identity Cloud but not in Okta

  1. In a separate incognito browser, return to your Okta tenant.

  2. In the Okta sign in window, enter the email of a user that exists in Advanced Identity Cloud but not in Okta. For example, enter username bina.raman@example.com created in Create test users and roles.

    Okta redirects the request to Advanced Identity Cloud for authentication.

  3. Log in to Advanced Identity Cloud as a user. For example, log in as username braman password Secret12!.

    After successful authentication, the Okta JIT provisions the user braman based on information in the response and logs them in to Okta.

  4. On the Okta Admin Console, click Directory > People and see that braman@example.com has been provisioned automatically.

Explore further

Reference material

Reference Description

Add users manually

In Okta, manually add users, assign them to apps and groups, and manage their profile.

Create an app at the Identity Provider

In Okta, create a client application to use for authenticating and authorizing users.

link:

Configure identity provider routing rules

In Okta, configure routing rules for each of your Identity Providers or for different combinations of user criteria.

Application management

Set up and manage applications that work with Advanced Identity Cloud.

Copyright © 2010-2024 ForgeRock, all rights reserved.