Okta SSO

Rapticore identity federation and SSO

Rapticore uses AWS Cognito for authentication and authorization. It can Integrate with customer’s Okta identity provider using an Okta App configured in customer's account thereby providing SSO with Okta.

📘

For more information on establishing trust between AWS Cognito and Okta, please refer to AWS documentation.

Setup

Setup involves configuration by both the customer and Rapticore. Configuration in Rapticore has already been taken care of. You need to perform the steps mentioned below and provision integration details to Rapticore:

Steps to be taken by customer include:

  1. Create an Okta app integration in your account
  2. Configure settings for your Okta app
  3. Provide integration details to Rapticore

Necessary privileges in Okta

A User with privileges to create and update Applications in Okta can complete the setup steps.

Rapticore information provided in your invitation email

Rapticore, at the time of account creation, will provide customers with two unique account attributes; both of these must be used without modification in the setup.

  • RapticoreAccountId - Rapticore-operated AWS Account ID.
  • RapticoreTenantId - Rapticore unique Tenant ID.

Create an Okta app integration

  1. Open the Okta Developer Console. For more information about the console, see Okta’s Redesigned Admin Console and Dashboard—Now in GA! on the Okta Developer Blog.
  2. In the navigation pane, expand Applications, and then choose Applications. This opens the Applications Console. For more information, see Administrator Console on the Okta Organizations page of the Okta Developer website.
  3. Choose Create App Integration.
  4. On the Create a new app integration page, choose OpenID Connect, choose Web Application, and then choose Next.

Configure your Okta app

  1. On the New Web App Integration page, under General Settings, enter a name for your app, i.e., Rapticore.
  2. Under Grant type, confirm that the Authorization Code check box is selected. Your user pool uses this flow to communicate with Okta OIDC for federated user sign-in.
  3. For Sign-in redirect URIs, enter https://auth.<RapticoreTenantId>.rapticore.io/oauth2/idpresponse. This is where Okta sends the authentication response and ID token.

Remember to replace <RapticoreTenantId> with your Rapticore Tenant ID.

  1. Under CONFIGURE OPENID CONNECT, for Login redirect URIs, enter https:// auth.<RapticoreTenantId>.rapticore.io/oauth2/idpresponse. This is where Okta sends the authentication response and ID token.
  2. In Sign-out redirect URIs, add the URL https://<RapticoreTenantId>.rapticore.io.
  3. In Controlled access, choose your preferred access setting, and then choose Save.
  4. In Client Credentials, copy the Client ID and Client secret. These credentials are required by Rapticore to configure Okta in Amazon Cognito user pool.
  5. Choose Sign On.
  6. On the Sign On page, In OpenID Connect ID Token, note the Issuer URL. This URL is required by Rapticore for configuring Okta in your user pool.
  7. Configure profile mapping
    a. On Sign On page, click Configure Profile Mapping.
    b. Ensure following mappings in Okta User to tab:
684684

c. Click Save Mappings to save.

  1. On web application detail page, open Okta API Scopes tab and ensure following scopes are granted:
    a. okta.users.read
    b. okta.users.read.self
    c. okta.userTypes.read
    d. okta.profileMappings.read

Provide integration details to Rapticore

Please provide the following once above steps are complete:

  1. Client ID
  2. Client Secret
  3. Issuer URL: Issuer URL can be obtained from "Sign On" tab in application detail page in Okta.
29162916

Wait for confirmation from Rapticore for configuring Okta SSO credentials.

📘

Once this configuration is complete, users can click the Okta SSO button on Rapticore Login page to authenticate.

Decommissioning

Deactivating the Okta App created for Rapticore will stop Rapticore from authenticating users from Okta.

🚧

Changing the Attribute Mapping or Grants may affect the user authentication and authorization.