Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Okta configuration #2199

Merged
merged 3 commits into from
Dec 31, 2024
Merged

Okta configuration #2199

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
aa79811
Okta configuration
usama9500 Dec 19, 2024
4308ef9
fix build issues and errors
usama9500 Dec 19, 2024
5011705
Merge branch 'main' into okta_configuration
burnettk Dec 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added docs/DevOps_installation_integration/images/okta_config.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
84 changes: 84 additions & 0 deletions docs/DevOps_installation_integration/okta_config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
# Configuring Okta as an OpenID Provider
This guide provides steps to configure Okta as an OpenID Provider (alternative to Keycloak) for SpiffWorkflow.

The setup involves creating an OpenID Connect (OIDC) application, configuring environment variables, and ensuring group information is passed through correctly.

## **1. Setting Up OpenID Authentication with Okta**

1. Follow the [Okta App Integration Wizard](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm) to create an **OpenID Connect (OIDC) Web Application**.
- This step provides you with a **Client ID** and a **Client Secret** key.

2. **Key Requirements**:
- Obtain the following details:
- OpenID Server URL
- Client ID
- Client Secret Key

## **2. Configuring Environment Variables in SpiffWorkflow**

Set the following environment variables on your SpiffWorkflow backend server to connect with your Okta instance:

```bash
# OpenID Server URL
SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL=<YOUR_OKTA_ISSUER_URL>

# Client ID and Secret Key from Okta
SPIFFWORKFLOW_BACKEND_OPEN_ID_CLIENT_ID=<YOUR_CLIENT_ID>
SPIFFWORKFLOW_BACKEND_OPEN_ID_CLIENT_SECRET_KEY=<YOUR_CLIENT_SECRET_KEY>

# OpenID Scopes (includes groups)
SPIFFWORKFLOW_BACKEND_OPENID_SCOPE="openid profile email groups"

# Allow OpenID Provider to manage user groups
SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS: true
```

## **3. Adding a Groups Claim for Authorization Server**

To pass group information to SpiffWorkflow, configure the **Groups Claim** for your OpenID Connect client app in Okta.

1. Go to **Admin Console > Applications > Applications**.

2. Select the OpenID Connect client app you created.

3. Navigate to the **Sign On** tab and click **Edit** under the OpenID Connect ID Token section.

4. In the Group claim type section, you can select either **Filter** or **Expression**. For this example, leave **Filter** selected.
In the Group claims filter section, leave the default name groups (or add it if the box is empty), and then add the appropriate filter. For this example, select Matches regex and enter .* to return the user's groups.
For the **Group claims filter**:
- Leave the default name `groups` or enter it manually and then add the appropriate filter.
- For this example, Set the filter to `Matches regex` and use `.*` to return all user groups.

See [Okta Expression Language Group Functions](https://developer.okta.com/docs/reference/okta-expression-language/#group-functions) for more information on expressions.

5. Click **Save**.

6. Click **Back to applications**.

7. Use the **More** dropdown and select **Refresh Application Data** to apply the changes.

📘 **Reference**: [Customize Tokens and Groups Claim](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/).

## **4. Passing Through Groups from Active Directory**

If your organization integrates Active Directory (AD) with Okta, Use the following Okta documentation for guidance:
[Retrieve AD and Okta Groups in OIDC Claims](https://support.okta.com/help/s/article/Can-we-retrieve-both-Active-Directory-and-Okta-groups-in-OpenID-Connect-claims?language=en_US).

Adjust the configuration to ensure group information is included in the OpenID Connect token passed to SpiffWorkflow.

## **Example Configuration**

For one of our users, the following setup was used to pass group information to SpiffWorkflow:

![image](images/okta_config.png)
usama9500 marked this conversation as resolved.
Show resolved Hide resolved

- Environment variables included the OpenID details and group scope.

- Groups were fetched from Active Directory and passed through to SpiffWorkflow using Okta's configuration tools.

📘 For additional details, refer to Okta’s documentation or the SpiffWorkflow team for troubleshooting.

🔗 **Helpful Links**:
- [Okta App Integration Wizard](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm)
- [Groups Claim Documentation](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/)
- [Active Directory Groups in Okta](https://support.okta.com/help/s/article/Can-we-retrieve-both-Active-Directory-and-Okta-groups-in-OpenID-Connect-claims?language=en_US).
1 change: 1 addition & 0 deletions docs/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ DevOps_installation_integration/Secrets.md
DevOps_installation_integration/redis_celery_broker.md
DevOps_installation_integration/path_based_routing.md
DevOps_installation_integration/process_model_management.md
DevOps_installation_integration/okta_config.md
```

```{toctree}
Expand Down
Loading