< All Topics
You are here:
Print

Okta

BlokSec can be configured as an inbound federation identity provider (a.k.a. social provider) for your Okta tenant, and can also be integrated with the Okta workflow via event hooks such that newly created users in Okta will automatically be provisioned to BlokSec. The following article describes the process to configure authentication and provisioning.

Authentication

The BlokSec <> Okta integration enables authentication via the OIDC protocol. Configuration involves a few simple steps on both the BlokSec admin UI and the Okta console.

BlokSec Admin UI

  1. Sign into BlokSec admin UI as a user with admin privileges for your tenant
  2. On the main dashboard, click the Add Application drop-down and select Create Custom
  3. Complete the application details as follows and submit:
    • Name: Okta (or your desired application name – we will assume this is called ‘Okta’ for the remainder of this article)
    • SSO Type: OpenID Connect
    • Logo URI: https://bloksec.io/assets/okta.png (or a link to the image of your choice)
    • Redirect URIs: (leave blank for now)
    • Post Logout Redirect URIs: (leave blank for now)
  4. Once saved, click back into the newly created ‘Okta’ application to open the application configuration
  5. Click Generate App Secret, then make note of the Application ID and Application Secret as these will be required when registering your application with Okta

Okta Console

  1. Sign into the Okta admin console as a user with admin privileges for your tenant
  2. Navigate to Security > Identity Providers
  3. Click the Add Identity Provider button and choose Add OpenID Connect IdP
  4. Complete the identity provider configuration with the following values (adjusting if required to meet your desired behaviour):
    • General Settings
      • Name: BlokSec (or the name of your choice)
      • Client ID: (the Application ID captured from the BlokSec admin UI above)
      • Client Secret: (the Application Secret captured from the BlokSec admin UI above)
      • Scopes: -openid -email -profile
    • Endpoints
      • Issuer: https://api.bloksec.io/oidc
      • Authorization endpoint: https://api.bloksec.io/oidc/auth
      • Token endpoint: https://api.bloksec.io/oidc/token
      • JWKS endpoint: https://api.bloksec.io/oidc/jwks
      • (optional): https://api.bloksec.io/oidc/me
    • Authentication Settings
      • IdP Username: idpuser.preferredUsername
      • Match Against: Okta Username
      • Account Link Policy: Automatic
      • Auto-Link Restrictions: None
      • If no match is found: Create new user (JIT) Note: switch to “Redirect to Okta sign-in page” if you will be creating users via Okta-initiated provisioning
    • JIT Settings (set according to your desired behaviour)
      • Profile Source: (checked) (if you want BlokSec to master your user’s attributes – this is the decentralized identity model)
      • Group Assignments: Set if you would like BlokSec JIT-created users to be added to specific groups
  5. Once saved, expand the IdP details by clicking the chevron icon to reveal the Redirect URI

BlokSec Admin UI (Part 2)

  1. Return to the Okta application configuration, click the gear in the upper-right, and select Edit Application
  2. Input the Redirect URI as defined by Okta in step 5 above
  3. If desired add a Post Logout Redirect URI; to have a user redirected to your Okta sign in screen after logging out, enter the URL for your Okta tenant e.g., https://dev-523193.okta.com

Provisioning

Okta can be configured to provision users to BlokSec as part of the onboarding process through Okta event hooks. Once configured, when a new user is onboarded they will automatically receive a BlokSec account and be emailed an invitation to enroll their yuID app for use of the account.

  1. Sign into the Okta admin console as a user with admin privileges for your tenant
  2. Navigate to Workflow > Event Hooks
  3. Click Create Event Hook
  4. Complete the configuration as follows:
    • Name: BlokSec Provisioning (or the name of your choice)
    • URL: https://api.bloksec.io/okta_api
    • Authentication field: client_secret
    • Authentication secret: (the Application Secret as generated in the BlokSec Admin UI)
  5. Click Add Field and add the following field:
    • Field Name: client_id
    • Value: (the Application ID as generated in the BlokSec Admin UI)
  6. In the Subscribe to Events field, choose the event User created
  7. Click Save & Continue
  8. When prompted, click the Verify button to prove that the endpoint is willing to receive events from Okta. Once completed you will be returned to the Event Hooks dashboard with the new event hook showing verified
  9. Provisioning can now be tested by creating a new user via the Okta console; a BlokSec yuID invitation should be sent to the new user’s primary email address
Previous IBM Security Verify
Next SalesForce
Table of Contents