Okta Workforce Keycloak
This guide will walk you through the steps required to configure Okta Workforce as a Single Sign-On (SSO) provider in On Premise deployment of Observo using OpenID Connect (OIDC).
Prerequisites
An active Okta Workspace account.
A running Observo On Premise deployment.
Admin access to both Okta and Observo.
Steps to Set Up Okta as an OIDC Identity Provider in Observo
1. Create an OIDC Application in Okta
You need to create an OIDC application in Okta to enable On Premise Observo to authenticate users.
Log into Okta as an admin.
Go to Applications > Applications in the Okta dashboard.
Click on Create App Integration.
Select OIDC - OpenID Connect as the Sign-in method, and choose Web Application for the Application type. Click Next.
Fill out the following fields:
App name: Provide a name for the application (e.g.,
Observo SSO).Sign-in redirect URIs: This should point to your IdP provider of
On PremiseObservo which is Keycloak realm’s OIDC endpoint in this case:http://<ObservoOnPremURL>/observo-auth/realms/master/broker/okta/endpointSign-out redirect URIs:
http://<ObservoOnPremURL>/observo-auth/realms/master/broker/okta/endpoint/logout_response
Under Controlled access, choose whether to allow everyone or a specific group of users.
Click Save to create the application.
2. Retrieve Okta Application Credentials
After creating the application in Okta, you will need the credentials for Observo Keycloak configuration.
In the app's General tab, find:
Client ID: Copy this value.
Client Secret: Click Edit to reveal and copy this value.
Go to the left menu bar's Security > API and choose the Issuer URI of your preferred authorization server.
3. Configure Observo to Use Okta as an Identity Provider
Now, configure Okta as an Identity Provider in Observo keycloak.
Log into Observo keycloak with
Observo Adminusers credential. Observo keycloak is hosted in this URLhttp://<ObservoOnPremURL>/observo-authSelect the realm of your Observo deployment to configure Okta SSO.
masteris the default realm.In the left-hand menu, click Identity Providers.
From the Add provider dropdown, select OpenID Connect v1.0.
Fill in the following details:
Alias:
okta.Display name: (Optional) The name that users will see on the login screen.
Turn off the
Use discovery endpointif it's enabled.Authorization URL: Use:
<IssuerrURL>/v1/authorizeToken URL: Use:
<IssuerrURL>/v1/tokenLogout URL: (Optional) Use:
<IssuerrURL>/v1/logoutUser Info URL: Use:
<IssuerrURL>/v1/userinfoIssuer: Enter the Issuer URI you copied from Okta.
In the Client Authentication section:
Client ID: Paste the Client ID from Okta.
Client Secret: Paste the Client Secret from Okta.
Click Save.
Now go into the newly created Identity Provider and click on Advanced drop down field. Add the
openid email profilescopes.
4. Add Role Mapper (Optional)
For using the role mapper feature of observo, follow the below steps:
Go to the Realm roles of keycloak and create the roles you want to use in role mapping.
Now go the identity provider and select the Okta IdP that created in last step.
We need to create mappers that maps the Okta token claims to keycloak roles. Later the keycloak roles will be inserted into token.
Steps to create a Mapper for a Role
Select the
Mapperstab and click onAdd Mapper.Give a name for the new mapper (For example:
AdminRoleMapper).Select
Sync mode overridetoForceUse
Advanced Claim to Roleas Mapper Type.Select on
Add Claimsand use your okta claim name asClaim Keyand regex of claim value.Mark
Regex Claim Valuesif you are using regex in the claim value.Now choose the keycloak realm roles that you want to map with your okta claim.
5. Test the Integration
Once the configuration is saved, test the Okta SSO integration.
Access Observo UI.
Select the Observo Okta SSO option
Now log in with your Okta credentials.
After successful authentication, you should be redirected back Observo UI and logged in.
By following these steps, you should have Okta Workforce successfully integrated in Observo On Premise deployment.
Last updated
Was this helpful?