Configuring OpenID SSO for Okta

These steps show you how to configure the single sign-on (SSO) functionality using OpenID between ManageEngine ADSelfService Plus and Okta.

Prerequisites

1. Login to ADSelfService Plus as an administrator.
2. Go to Configuration > Password Sync/ Single Sign On, then click Add Application. Select Okta from the list.
Note: You can also use the search bar at the top-left of the page to search for the application.
3. Click IdP Details, then select the SSO(OAuth/OpenID Connect) tab.
4. Copy the Client ID, Client Secret, Issuer, Authorization Endpoint URL, Token Endpoint URL, and User Endpoint URL information.

Okta (service provider) configuration steps

1. Log in to Okta with admin credentials.
2. Navigate to Security > Identity Providers > Add Identity Provider > Add OpenID Connect IdP.

3. Enter a Name of your preference.
4. Fill the required fields with details during step 4 of Prerequisites:
1. Client ID: Client ID
2. Client Secret: Client Secret
3. Using the Scopes drop-down, select email, openid, and profile.
4. Issuer: Issuer
5. Authorization endpoint: Authorization Endpoint URL
6. Token endpoint: Token Endpoint URL
7. JWKS endpoint: Keys Endpoint URL
8. Userinfo endpoint (optional): User Endpoint URL

5. Click Add Identity Provider at the bottom to save the settings.

6. After saving, copy the Redirect URI as it will be required in later steps.

7. To add the instance of ADSelfService Plus to Okta's login screen, go to the Routing Rules tab, then click Add Routing Rule.

8. In the popup that appears, set the User matches field to Regex on Login. Set the value as ".*".
9. Select the ADSelfService Plus instance for the Use this Identity provider condition.

10. Click Create Rule to complete the settings.
11. In the pop-up that appears, click Activate.

ADSelfService Plus (identity provider) configuration steps

1. Switch back to ADSelfService Plus' Okta configuration page.

2. Enter the Application Name and Description as per your preferences.
3. Enter the Domain Name of your Okta account. For example, if your Okta username is johnwatts@thinktodaytech.com, then thinktodaytech.com is your domain name.
4. In the Assign Policies field, select the policies for which SSO need to be enabled.
Note: ADSelfService Plus allows you to create OU and group-based policies for your AD domains. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy.
5. Under the SSO tab, select Enable Single Sign-On.
6. Choose OAuth/OpenID Connect from the Select Method drop-down.
7. Enter the Okta portal's login URL in the SP Login Initiate URL field.
Note: Okta requires sign-in to begin from their login page, known as SP-initiated login. Users are first directed to the Okta login page, specified in the SP Login Initiate URL field, after which Okta (the SP) redirects them to ADSelfService Plus (the IdP) for authentication.
8. Enter the Redirect URI copied in Step 6 of configuring Okta in the SSO Redirect URL field.
9. Using the Scopes drop-down, select openid, which is the scope required for OIDC authentication. You can also specify scopes such as profile or email to include extra user information in the authorization request.
Note: Scopes specify the level of access the access token has. They are typically included in the authorization request. Specify the scopes for which you wish to allow access to your authorization token, using the drop-down.
10. Click Add Application to save the configuration.

The Well-known Configuration URL in the IdP details pop-up contains all the endpoint values, supported scopes, response modes, client authentication modes, and client details. This is enabled only after you finish configuring the application for SSO in ADSelfService Plus. You can provide this to your service provider if required.