| Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
blocks:sso:okta [2019-03-12 15:17]
max [Blocks specific steps] |
blocks:sso:okta [2024-08-20 12:17] (current)
melvin Joao changes |
| ====Okta==== | ====Blocks single-sign-on using OKTA==== |
| | |
| | This article describes how to set up Blocks single-sign-on using the popular [[https://www.okta.com|OKTA SSO service provider]]. |
| |
| - Login to your okta account and navigate to the admin pages. | - Login to your okta account and navigate to the admin pages. |
| - Add an application by clicking "Applications" in the main menu. Click the "Add Application" button in the top, then press the "Create New App" button. Select "Web" as the platform and "OpenID Connect" as the Sign on method. | - Add an application by clicking "Applications" in the main menu. From the options that show up, proceed to select "Applications". Click the "Create App Integration" button at the top. Select "OIDC - OpenID Connect" as the Sign-in method and "Web Application" as the Application type. Click "Next". |
| - Give you application a name and enter "https://[BLOCKS-IP]/rest/auth/callback?client=OidcClient" as the "Login redirect URI". | - Give you application a name and enter "https://[BLOCKS-IP]/rest/auth/callback?client_name=OidcClient" as the "Sign-in redirect URIs". Scroll down, and under "Assignments", select the option that suits you better. Click the "Save" button to finish this creation. |
| - Select the "Sign On" tab at the top of your application page. Scroll down and press the "Edit" button at the top of the "OpenID Connect ID Token" section. Adjust the values to match the ones on the image below. What this means is that when Okta sends information about a specific user back to Blocks, after a successful authentication, it will include all of the user's groups – renamed to roles – in the user data. Note that the "BlocksRole.*" only include the roles that starts with "BlocksRole". If you name your roles differently you'd have to adjust this value. | - Select the "Sign On" tab at the top of your application page. Scroll down and press the "Edit" button at the top of the "OpenID Connect ID Token" section. Adjust the values to match the ones on the image below. What this means is that when Okta sends information about a specific user back to Blocks, after a successful authentication, it will include all of the user's groups – renamed to roles – in the user data. Note that the "BlocksRole.*" only include the roles that starts with "BlocksRole". If you name your roles differently you'd have to adjust this value. |
| * {{:blocks:sso:1.png|}} | * {{:blocks:sso:1.png|}} |
| * BlocksRoleStaff | * BlocksRoleStaff |
| - Click on the "BlocksRoleAdmin" role to edit the role. | - Click on the "BlocksRoleAdmin" role to edit the role. |
| - At the top, click the "Manage Apps" button and assign in to your application. Close the window and click the "Manage People" button (next to "Manage Apps"). Assign members to the group and click "Save". Repeat this process with all of the groups, assign them to your application and add members that you want to represent each group. | - At the top, click the "Applications" button and assign it to your application. Close the window and click the "People" button (next to "Applications"). Assign members to the group and click "Save". Repeat this process with all of the groups, assign them to your application and add members that you want to represent each group. |
| - Click on the "Applications" button in the main menu and select your newly created application. Click on the General tab and locate the "Client Credentials" section at the bottom. Note the values for "Client ID" and "Client secret" for use in step 1 of the Blocks specific section below. | - Click on the "Applications" button in the main menu and select your newly created application. Click on the General tab and locate the "Client Credentials" section. Note the values for "Client ID" and "Client secret" for use in step 1 of the Blocks specific section below. |
| |
| ====Blocks specific steps==== | ====Blocks specific steps==== |
| |
| - Open your Blocks configuration file on your Blocks server and add the "auth" section below to the already existing "server" section. Replace the values of [BLOCKS-IP], [YOUR-OKTA-SUBDOMAIN], [CLIENT-ID] and [CLIENT-SECRET]. [YOUR-OKTA-SUBDOMAIN] is visible as "Issuer" in the "OpenID Connect ID Token" section of the "Sign On" tab (see step 4). | - Open your Blocks configuration file on your Blocks server and add the "auth" section below to the already existing "server" section. Replace the values of [BLOCKS-DOMAIN-OR-IP], [YOUR-OKTA-SUBDOMAIN], [CLIENT-ID] and [CLIENT-SECRET]. [YOUR-OKTA-SUBDOMAIN] is visible as "Issuer" in the "OpenID Connect ID Token" section of the "Sign On" tab (see step 4). |
| * <code> | * <code> |
| server: | server: |
| | type: pixilab_server |
| auth: | auth: |
| urlResolver: null | urlResolver: null |
| ajaxRequestResolver: null | ajaxRequestResolver: null |
| callbackUrl: https://[BLOCKS-IP]/rest/auth/callback | callbackUrl: http://[BLOCKS-DOMAIN-OR-IP]/rest/auth/callback |
| rolesOwner: attributes | rolesOwner: attributes |
| rolesPath: roles | rolesPath: roles |
| security: | security: |
| - matchers: internalMatcher | - matchers: internalMatcher |
| clients: OidcClient | clients: OidcClient |
| authorizers: isAuthenticated | authorizers: isAuthenticated |
| | applicationConnectors: |
| | useForwardedHeaders: true |
| </code> | </code> |
| - Start Blocks and go to "/edit" for login. | - Start Blocks and go to "/edit" for login. |
| <code> | <code> |
| rolesMapping: | rolesMapping: |
| KeyCloakAdmin: Admin | BlocksRoleAdmin: Admin |
| KeyCloakManager: Manager | BlocksRoleManager: Manager |
| KeyCloakCreator: Creator | BlocksRoleCreator: Creator |
| KeyCloakEditor: Editor | BlocksRoleEditor: Editor |
| KeyCloakContributor: Contributor | BlocksRoleContributor: Contributor |
| KeyCloakStaff: Staff | BlocksRoleStaff: Staff |
| </code> | </code> |
| This mapping is already included in the configuration example, but it can be a good thing to keep in mind if your roles look different from what we configured in step of the section above. | This mapping is already included in the configuration example, but it can be a good thing to keep in mind if your roles look different from what we configured in step 6 of the section above. |