Okta is able to perform the following actions automatically against our platform:
- Authenticate users when they log in via our web portal or apps.
Before you configure provisioning, check the following in your platform account:
- Ensure you have added our Enterprise Toolkit option to your account, since this unlocks our Okta integration options.
To enable Enterprise Toolkit, please contact firstname.lastname@example.org.
- Once Enterprise Toolkit is enabled, naviagate to the Menu -> Organization Setup page and find the section titled "External User Authentication & Provisioning".
Click the Add Connector link and select the "Okta" option from the list of available connectors - this will save the Organization Setup page and reload it.
Create an OpenID Connect application
- Go to the Admin -> Applications area of your Okta account, then click "Add Application".
- Click the "Create New App" button, then select "Native" from the list of Platform options.
- Ensure OpenID Connect is the selected Sign on Method, then click "Create"
- Enter an Application Name - preferably use our platform name, Forms on Fire
- Upload an option Application Logo - you can get ours by right-clicking on our login page logo and using "Save Image As".
- Enter all Login Redirect URIs as noted from your Organization Setup page
- Leave Logout Redirect URIs blank
- Click the "Save" button to create your OIDC application. This will take you to more detailed configuration options.
- Application Name - preferably use Forms on Fire
- Application Type - must be "Native"
- Allowed Grant Types - only "Authorization Code" should be selected
- Login Redirect URIs - enter all Login Redirect URIs as noted from your Organization Setup page
- Logout Redirect URIS - leave blank
- Make note of the Client ID value as seen under the Client Credentials section. You will need to input this into the given field on our platform to enable Single Sign On later.
- Client Authentication - ensure PKCE is selected
- Sign On Methods - OpenID Connect should be the only option selected
- Signing Credential Rotation - should be left as "Automatic"
- Make note of the Issuer url seen under the OpenID Connect ID Token section. You will need to input this into the given field on our platform to enable Single Sign On later.
- Claims - should be "Claims for this token include all user attributes on the app profile."
- Group Claim options should be left as default
- Assign users as desired - any user that requires login access on our platform or apps must be assigned to your OIDC app in Okta.
After creating and configuring your OIDC app in Okta, you must update the Okta connector configuration in our platform:
- Go to the Organization Setup page in our platform
- Under the Manage Users with Okta option, input the Issuer URL and Client ID as noted during your Okta application setup process above.
- Save your changes.
At this point, all users registered on our platform will now be required to sign on via Okta.
Troubleshooting and Tips
Assigning Website Access to Okta Users
By default, users that are provisioned via Okta will only be granted app login access.
If you wish to assign web portal access, then you must specify one of the following Role values on the Okta user's application profile:
The capabilities of the above roles can be seen on the hints for Access Roles as found on the Edit User page of our platform.