Okta AuthN¶

As part of the federation gateway feature the integration with Okta Authentication is possible. In this scenario, the users are authenticated against company's Okta domain and it is not required to store passwords in our system.

The Okta authentication is triggered at the login page when the user clicks on the Okta icon or automatically if this is the single provider enabled.

Authentication¶

Basic configuration¶

Okta Authentication can be configured at appsettings.json in the authentication service: LoginSettings.IdentityProvidersSettings.Okta:

• Enabled for enabling this provider. Please, check installation guide as there are some IT configurations required before using this provider.
• UserPolicies for configuring how user matching and sync will be performed.

User matching¶

For being able to login into our system is required that the authenticated Okta user exists in our system. The user matching is done following matching rules defined at LoginSettings.IdentityProvidersSettings.Okta.UserPolicies.MatchingFields. The valid options are:

1. Email.
2. SsoUsername. Any unique identifier for the user, different to the username. It could store an email, this email could be different of the user's email used for notifications.

User sync during authentication¶

During the matching process, it is possible to update some user's properties using the collections UserPolicies.FieldsToUpdatesWhenNull and UserPolicies.FieldsToUpdatesWhenDifferent. The valid options for updates in both scenarios are:

The default configuration looks like:

      "Okta": {
        "Enabled": true,
        "Domain": "_domain_",
        "AuthorizationServerId": null,
        "ClientId": "_clientID_",
        "ClientSecret": "_clientSecret_",
        "UserPolicies": {
          "MatchingFields": [ "Email" ],
          "FieldsToUpdatesWhenDifferent": [ "FirstName", "LastName" ]
        }
      },

If UserPolicies is missing or when some of its properties are null or empty default values will apply: