Okta is an Identity-as-a-Service (IDaaS) provider. To configure OpenID Connect (OIDC) within Appsmith using Okta, follow these steps:
{% hint style="info" %} OpenID Connect is available only in the enterprise edition for self-hosted instances, and only the Superuser of your Appsmith Instance can set up OIDC. {% endhint %}
- Log in to your Okta Developer Account and go to Applications. (Please create an account if you don’t have one).
- Click on Create App integration. In Create App integration window, choose OIDC as the Sign-in method and Web application as the Application type. Click on Next.
- In the General settings of the newly created App Integration:
- Give your App integration a meaningful name (Optional.)
- Add the redirect URL (Copied from the OIDC window in Appsmith’s Admin Settings) in the Sign-in redirect URL field.
You can add multiple redirect URLs.
- Under Assignment, configure the Accessibility of this App as required.
- Click on Save. This action creates the app integration and opens the settings page to configure additional options.
To continue with the OIDC setup on Appsmith, navigate to the fields on the Okta configurations, and perform the actions as mentioned below:
-
On the Okta Application homepage, go to the General tab:
- Copy the Client ID and Client Secret and paste them into the OIDC configurations in Appsmith.
- Configuration at Okta
- Copy your Okta domain URL, attach
/.well-known/openid-configurationto it, and open this modified URL in your browser.
- Copy your Okta domain URL, attach
<your_okta_domain>/.well-known/openid-configuration
{% embed url="https://www.youtube.com/watch?v=dgDhBUXKA6s" %} Get Okta Configurations {% endembed %}
- Configuration at Appsmith - Add all the configurations from the above URL in OIDC Configurations on Appsmith. Refer to the below table that shows field mapping:
| Fields (Okta) | Fields (Appsmith) |
|---|---|
| authorization_endpoint | Authorization URL |
| token_endpoint | Token URL |
| Userinfo_endpoint | User Info URL |
| Jwks_uri | JWK Set URL |
The scope defines the OpenID Connect (OIDC) scopes that allow you to authorize the access of user details ( after a user is successfully authenticated) like name, email, profile picture, and more. Each scope maps to a set of user attributes and returns its value. Just below the JSON Web Key Set, you’ll see the Scope field:
Appsmith needs openId as a mandatory scope. You can add more scopes if the need be. You'll have to ensure that the same is available at Okta.
Okta provides a number of configurable scopes that can be granted based on your business requirements. Navigate to Okta API Scopes, where you’ll be able to grant all or selected scopes.
The username attributes define the attributes used as usernames for authentication. You can add the attribute to this field that you consider for logging.
Appsmith considers email address as username. Please ensure that you have added it as an attribute in the Username Attribute field. Please provide email as the attribute name for configuring the username attribute for Okta.
- Save the changes and restart your application by clicking
SAVE & RESTARTbutton.
- You’ll see the SIGN IN WITH OIDC SSO on the Appsmith’s login screen.
