Skip to main content

 

Secure the Application

 

Applies only to Traditional Web Apps

 

OutSystems

Configure OKTA Authentication

OutSystems allows you to use OKTA for authenticating the end-users of your OutSystems applications. This authentication method is configured in a way that is quite similar to the SAML 2.0 one.

The limitations of the current SAML 2.0 implementation also apply to the OKTA authentication method. Be sure to check them when using OKTA end-user authentication.

To set up OKTA authentication for end-users do the following:

  1. Sign in to the OKTA administration page and make sure that you're using the "Classic UI" view. Select Applications > "Applications" to open the Applications screen, and then click Add Application.

  2. Click Create New App.

  3. Select the platform Web and the sign-on method SAML 2.0. Click Create.

  4. Enter a name for your application and (optionally) select an app logo. Click Next.

  5. In the Users application, choose OKTA in Authentication and fill the 1. Service Provider Connector Settings.

    We suggest that you use the following values for the fields in the Attribute Statements (Claims) section:

    Given Name Attribute = given
    Surname Attribute = surname
    Email Attribute = email
    Username Attribute = username
    External Id Attribute = username

  6. Download the keystore certificate by clicking (Keystore certificate).
    This file will be used later when doing the configurations in the OKTA portal (step 9).

  7. In the OKTA portal, configure the fields in General > "SAML Settings" by entering the values for the Single sign on URL and Audience URI (SP Entity ID) fields as displayed or as configured before in the Users application (step 5).

    Before continuing, click Show Advanced Settings to show some more fields that you will need to configure.

  8. Select the Enable Single Logout checkbox and fill in the Single Logout URL and SP Issuer fields with the corresponding values from the Users application.
    Fill in the SP Issuer field with the same value you entered for the Audience URI (SP Entity ID) field (step 7).

  9. Upload the certificate file downloaded from the Users application (step 6) in the Signature Certificate field.

  10. In the "Attribute Statements" section, add an attribute for each claim configured in the Users application by clicking Add Another until you have a total of four lines of attribute statements.

    Fill in the Name and Value fields of the four rows according to the following suggested values:

    Name = given (i.e. the value previously entered in Users) / Value = user.firstName
    Name = surname / Value = user.lastName
    Name = email / Value = user.email
    Name = username / Value = user.login

    After creating and filling in the fields, click Next.

  11. Answer the question Are you a customer or a partner? accordingly to your situation and click Finish.

  12. Right-click the Identity Provider metadata link and select Save Link As to download the Identity Provider (IdP) metadata file.

  13. In the Users application, upload the metadata file obtained in the previous step by clicking Upload from IdP/Federation Metadata XML and then click Save.

  14. Test your new authentication settings by logging in the Users application again.
    Logout of the Users application if you're logged in.

  15. The Users application will redirect you to an OKTA login page. Enter your OKTA user credentials.

    If the authentication is successful, you will be redirected to the Users application.

    You may get an "Invalid Permissions" message if the OKTA user is logging in for the first time, since the user is provisioned in OutSystems at this point and it still doesn't have any associated roles. You will need to configure the user roles after the user's first login.

    If the authentication is unsuccessful, double-check your configuration settings.

Note: If you're using an older version of OutSystems UI you will need to change the logout flow of your OutSystems applications, as described for the SAML 2.0 authentication method. Check Change the Logout flow of your OutSystems applications for more information.

Troubleshooting OKTA authentication issues

Since the OKTA end-user authentication method is very similar to the SAML 2.0 one, you can troubleshoot them in the same way:

  • Was this article helpful?