PIXILAB Wiki

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
blocks:sso:okta [2019-03-12 12:44]
max 		blocks:sso:okta [2024-08-20 12:17] (current)
melvin Joao changes
Line 1: Line 1:
-====Okta====+====Blocks single-sign-on using OKTA==== 
 + 
 +This article describes how to set up Blocks single-sign-on using the popular [[https://www.okta.com|OKTA SSO service provider]]. 
  
   - Login to your okta account and navigate to the admin pages.   - Login to your okta account and navigate to the admin pages.
-  - Add an application by clicking "Applications" in the main menu. Click the "Add Applicationbutton in the top, then press the "Create New App" button. Select "Web" as the platform and "OpenID Connect" as the Sign on method+  - Add an application by clicking "Applications" in the main menu. From the options that show up, proceed to select "Applications". Click the "Create App Integration" button at the top. Select "OIDC - OpenID Connect" as the Sign-in method and "Web Application" as the Application type. Click "Next"
-  - Give you application a name and enter "https://[BLOCKS-IP]/rest/auth/callback?client=OidcClient" as the "Login redirect URI". +  - Give you application a name and enter "https://[BLOCKS-IP]/rest/auth/callback?client_name=OidcClient" as the "Sign-in redirect URIs". Scroll down, and under "Assignments", select the option that suits you better. Click the "Save" button to finish this creation
-  - Select the "Sign On" tab at the top of your application page. Scroll down and press the "Edit" button at the top of the "OpenID Connect ID Token" section. Adjust the values to match the ones on the image below.+  - Select the "Sign On" tab at the top of your application page. Scroll down and press the "Edit" button at the top of the "OpenID Connect ID Token" section. Adjust the values to match the ones on the image below. What this means is that when Okta sends information about a specific user back to Blocks, after a successful authentication, it will include all of the user's groups – renamed to roles – in the user data. Note that the "BlocksRole.*" only include the roles that starts with "BlocksRole". If you name your roles differently you'd have to adjust this value.
     * {{:blocks:sso:1.png|}}     * {{:blocks:sso:1.png|}}
   - Click on the "Directory" button in the main menu and select "Groups".   - Click on the "Directory" button in the main menu and select "Groups".
Line 15: Line 17:
     * BlocksRoleStaff     * BlocksRoleStaff
   - Click on the "BlocksRoleAdmin" role to edit the role.   - Click on the "BlocksRoleAdmin" role to edit the role.
-  - At the top, click the "Manage Apps" button and assign in to your application. Close the window and click the "Manage People" button (next to "Manage Apps"). Assign members to the group and click "Save". Repeat this process with all of the groups, assign them to your application and add members that you want to represent each group. +  - At the top, click the "Applications" button and assign it to your application. Close the window and click the "People" button (next to "Applications"). Assign members to the group and click "Save". Repeat this process with all of the groups, assign them to your application and add members that you want to represent each group. 
-  - Click on the "Applications" button in the main menu and select your newly created application. Click on the General tab and locate the "Client Credentials" section at the bottom. Note the values for "Client ID" and "Client secret" for use in step 10+  - Click on the "Applications" button in the main menu and select your newly created application. Click on the General tab and locate the "Client Credentials" section. Note the values for "Client ID" and "Client secret" for use in step 1 of the Blocks specific section below. 
-  - Open your server configuration file and add the "auth" section below to the allready existing "server" section. Replace the values of [BLOCKS-IP], [YOUR-OKTA-SUBDOMAIN], [CLIENT-ID] and [CLIENT-SECRET]. [YOUR-OKTA-SUBDOMAIN] is visible as "Issuer" in the "OpenID Connect ID Token" section of the "Sign On" tab (see step 4). + 
-<code> +====Blocks specific steps==== 
-    server: + 
-      auth: +  - Open your Blocks configuration file on your Blocks server and add the "auth" section below to the already existing "server" section. Replace the values of [BLOCKS-DOMAIN-OR-IP], [YOUR-OKTA-SUBDOMAIN], [CLIENT-ID] and [CLIENT-SECRET]. [YOUR-OKTA-SUBDOMAIN] is visible as "Issuer" in the "OpenID Connect ID Token" section of the "Sign On" tab (see step 4). 
-        urlResolver: null +    <code> 
-        ajaxRequestResolver: null +server: 
-        callbackUrl: https://[BLOCKS-IP]/rest/auth/callback +  type: pixilab_server 
-        rolesOwner: attributes +  auth: 
-        rolesPath: roles +    urlResolver: null 
-        rolesMapping: +    ajaxRequestResolver: null 
-          BlocksRoleAdmin: Admin +    callbackUrl: http://[BLOCKS-DOMAIN-OR-IP]/rest/auth/callback 
-          BlocksRoleManager: Manager +    rolesOwner: attributes 
-          BlocksRoleCreator: Creator +    rolesPath: roles 
-          BlocksRoleEditor: Editor +    rolesMapping: 
-          BlocksRoleContributor: Contributor +      BlocksRoleAdmin: Admin 
-          BlocksRoleStaff: Staff +      BlocksRoleManager: Manager 
-        clients: +      BlocksRoleCreator: Creator 
-          - org.pac4j.oidc.client.OidcClient: +      BlocksRoleEditor: Editor 
-              configuration: +      BlocksRoleContributor: Contributor 
-                discoveryURI: [YOUR-OKTA-SUBDOMAIN]/.well-known/openid-configuration +      BlocksRoleStaff: Staff 
-                clientId: [CLIENT-ID] +    clients: 
-                secret: [CLIENT-SECRET] +      - org.pac4j.oidc.client.OidcClient: 
-                clientAuthenticationMethod: client_secret_basic +          configuration: 
-                scope: openid profile groups +            discoveryURI: [YOUR-OKTA-SUBDOMAIN]/.well-known/openid-configuration 
-        servlet: +            clientId: [CLIENT-ID] 
-          security: +            secret: [CLIENT-SECRET] 
-            - matchers: internalMatcher +            clientAuthenticationMethod: client_secret_basic 
-            clients: OidcClient +            scope: openid profile groups 
-            authorizers: isAuthenticated+    servlet: 
 +      security: 
 +        - matchers: internalMatcher 
 +          clients: OidcClient 
 +          authorizers: isAuthenticated 
 +applicationConnectors: 
 +  useForwardedHeaders: true
 </code> </code>
 +  - Start Blocks and go to "/edit" for login.
  
-Start Blocks and go to "/edit" for login.+===Role Mapping=== 
 + 
 +When the roles (through groups) you've added to your Okta configuration does not match the roles used by blocks, as per our description in the section above (step 6). You can add role mapping to the Blocks configuration file. You do this by defining a server.auth.rolesMapping parameter where the keys are the roles of your Okta configuration and the values the roles Blocks know about. For example: 
 +<code> 
 +rolesMapping: 
 +  BlocksRoleAdmin: Admin 
 +  BlocksRoleManager: Manager 
 +  BlocksRoleCreator: Creator 
 +  BlocksRoleEditor: Editor 
 +  BlocksRoleContributor: Contributor 
 +  BlocksRoleStaff: Staff 
 +</code> 
 +This mapping is already included in the configuration example, but it can be a good thing to keep in mind if your roles look different from what we configured in step 6 of the section above.