Configuring OpenID SSO for Okta

These steps show you how to configure the single sign-on (SSO) functionality using OpenID between ManageEngine ADSelfService Plus and Okta.

1. Login to ADSelfService Plus as Admin.
2. Go to Configuration > Password Sync/ Single Sign On and click Add Application. Select Okta from the list.
Note: You can also use the search bar, in the top-left, to search for the application.
3. Click on IdP Details and select the SSO (OAuth/OpenID Connect) tab.
4. Copy Client ID, Client Secret, Issuer, Authorization Endpoint URL, Token Endpoint URL, User Endpoint URL, and Keys Endpoint URL.

Okta (service provider) configuration steps

1. Login to Okta as administrator.
2. Go to Security → Identity Providers → Add Identity Provider → Add OpenID Connect IdP.

3. Enter a Name of your preference.
4. Fill the required fields with details copied in step 4 of Prerequisites:
• Client ID: Client ID
• Client Secret: Client Secret
• Mention "email, openid, profile" in the Scopes field.
• Issuer: Issuer
• Authorization endpoint: Authorization Endpoint URL
• Token endpoint: Token Endpoint URL
• JWKS endpoint: Keys Endpoint URL
• Userinfo endpoint: User Endpoint URL

5. Click Add Identity Provider at the bottom to save the settings.

6. After saving, copy the Redirect URI as it will be required in later steps.

7. To add the instance of ADSelfService Plus to Okta's login screen, go to the Routing Rules tab and click Add Routing Rule.

8. In the popup that appears, set the User matches field to Regex on Login. Set the value as '.*'.
9. Select the ADSelfService Plus instance for Use this Identity provider condition.

10. Click Create Rule to complete the settings.
11. In the pop-up that appears, click Activate.

ADSelfService Plus (identity provider) configuration steps

1. Switch back to ADSelfService Plus' Okta configuration page.

2. Enter the Application Name and Description as per your preferences.
3. Enter the Domain Name of your Okta account. For example, if your Okta username is johnwatts@thinktodaytech.com, then thinktodaytech.com is your domain name.
4. In the Assign Policies field, select the policies for which SSO need to be enabled.
Note: ADSelfService Plus allows you to create OU and group-based policies for your AD domains. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy.
5. Under the SSO tab, select Enable Single Sign-On.
6. Choose OAuth/OpenID Connect from the Select Method drop-down.
7. Enter the Okta portal's login URL in the SP Login Initiate URL field.
Note: Okta requires sign-in to begin from their login page, known as SP-initiated login. Users are first directed to the Okta login page, specified in the SP Login Initiate URL field, after which Okta (the SP) redirects them to ADSelfService Plus (the IdP) for authentication.
8. Enter the Redirect URI copied in Step 6 of configuring Okta in the SSO Redirect URL field.
9. Using the Scopes drop-down, select openid, which is the scope required for OIDC authentication. You can also specify scopes such as profile or email to include extra user information in the authorization request.
Note: Scopes specify the level of access the access token has. They are typically included in the authorization request. Specify the scopes for which you wish to allow access to your authorization token, using the drop-down.
10. Click Add Application to save the configuration.

The Well-known Configuration URL in the IdP details pop-up contains all the endpoint values, supported scopes, response modes, client authentication modes, and client details. This is enabled only after you finish configuring the application for SSO in ADSelfService Plus. You can provide this to your service provider if required.