Okta Integration - Metadata

[andyjsmith2]

I am looking at introducing Lithnet Access Manager, one of the requirements for us is to link to Okta. I have read the article (https://docs.lithnet.io/ams/configuration/setting-up-authentication/setting-up-authentication-with-okta), but our internal team have requested that I provide metadata to create the app integration in Okta. I have searched but not found any details on how I can find these details.

Is anyone able to help point me in the right direction to find the metadata so we can setup this integration?

[jcspencer]

Hi Andy,

Access Manager does not support SAML - only OpenID Connect is supported for our AzureAD and Okta integration.

Unlike SAML, no metadata is required for the IdP when OIDC is used; instead, the Access Manager should be setup inside of Okta as an 'Open ID Connect > Web Application'.

You can create an application inside Okta using the standard 'OpenID Connect > Web Application' type, and configure the following settings:

• Grant Type: authorization code
• Sign-in URL: https://<ams_server>/auth/
• Sign-out URL: https://<ams_server>/auth/logout

Once completed, you can setup user mapping:

• Create a new attribute called upn, of data type string.
  • Select both the attribute required and User personal check boxes
• Click the Mappings button. Find the UPN value, and map it to the Okta attribute that contains the Active Directory UPN (e.g. aduser.userPrincipalName)

Once completed, the client ID and secret can be copied back to Access Manager, along with the issuer corresponding to your Okta tenant.

--

A side note, we highly recommend enforcing an application-level authentication policy in Okta to require MFA on the application; for example, we would recommend a policy that enforces MFA every time the app is logged into - particularly if JIT is being utilized.

Let me know if this works for you!

Regards,

James