The purpose of this guide is to help familiarize with the concept behind SSO Integration in the Service Virtualization.  It will also provide information on how to login to IAM, Enterprise Dashboard and Portal using OKTA SSO.

Before starting the configuration steps, read about OAuth/OAuth2 concepts:  OAuth and OAuth2 Concepts

All supported DevTest releases.

The configuration involves doing things in tandem on OKTA as well as IAM. So, let's get started: 

1. Get a trial account from OKTA. The typical trial period is 30 days
2. When logging in to the OKTA account, this is how it would look: https://trial-<ID>-admin.okta.com/admin/apps/active 
   
   
   
3. Now Go to IAM. Login as an admin user. Click on 'Identity Providers' from the left side menu.
   Note: OKTA and GOOGLE providers have already been configured; otherwise would see an empty table here.
   
   
   
4. Add a new Identity provider. Just click on the 'Add Provider' button on Top-Right and choose the 'OpenID Connection v1.0' option.
   
   
   
5. Would see the below screen. Give a meaningful Alias and Display Name. The 'Alias' Name would be useful to make one among the many Identity providers as Default. This will be explained later. The 'Display Name' is mandatory. This will be the name of the button that will appear in the login Screens. (see second screen shot below). At this point, will start doing some steps with the OKTA side (Remember Tandem). Just make sure to copy the value of Redirect URI from the 'Add Identity Provider' screen, will need this value on the OKTA 
   Side.
   
   
   
   
   
6. Login to the OKTA Account. In this example, it is https://trial--admin.okta.com/admin/apps/active
7. Click on the button 'Create App Integration'
   
   
   
   
8. A window pops up. Choose the first option 'OIDC - OpenID Connect'
   
   
   
   
9. The Window would expand once OIDC is selected. Choose Application Type as 'Web Application'. Click Next
   
   
   
   
10. In the next screen, give a name for the APP, for example call it as OKTADEMO. This is the IAM App which is an OAuth Client for OKTA. Just retain the default settings as shown below. The most important field that binds IAM to this OKTA Application is the Redirect URI. This value comes from IAM (refer to Step 5). Paste the value of Redirect URI from IAM here. This is VERY Important as OKTA needs to redirect to this URL after authenticating the SSO User.
    
    
    
    
11. The rest of the configuration should be exactly as shown below. Nothing more, nothing less.
    
    
    
12. Save the Application. Once Saved, OKTA would assign a CLIENT ID and generate a CLIENT SECRET. These values need to be copied from OKTA and saved at IAM Side. Do this carefully.
    
    
    
    
13. Along with the ClientID and Client Secret, also need Authorization and Token URLs for the OKTA Application. This can be easily obtained from invoking the following URL. Need to give the correct clientID value: https://trial-<ID>.okta.com/oauth2/default/.well-known /openid-configuration?client_id=<client_id>
    
    
    
14. Done with all that is needed on the OKTA Side. Let's go to IAM and provide the values from the OKTA Client. (see screenshot above). But for the DYNAMIC values from OKTA, make sure to use the other options as shown below exactly. The scope determines what objects would be passed from OKTA to IAM upon successful authentication. THIS IS SUPER IMPORTANT as it needs this information to create a new user in IAM (if it doesn't exist). More on OAuth Scope here: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims. Save the screen.
    
    
    
    
15. The next step is to define the mappers for the newly added Identity Provider. The mapper is again VERY IMPORTANT as this provides the much-needed roles for the OKTA User who logs into IAM/ED/Portal. By default, there are no mappers defined. Click on 'Create' button to define the mappers. Need to define 3 role-maps for the OKTA User. Assuming that the user wants to be able to log in to IAM. ED as well as PORTAL.
    
    
    
    
16. Give a meaningful name for the Mapper. Choose type as 'Hardcoded Role'. There are 2 more mapper types to assign role.
    
    
    
17. Choose the role as shown below and save it.
    
    
    
    
    
18. Similarly, define 2 more roles. ED-Admin and System Admin, so that the OKTA User can login to IAM, ED as well as Portal. If the mapper was not been created, then the OKTA User gets created in IAM without any roles, then would get errors when trying to login to IAM/ED/Portal with OKTA User.
    
    
    
    
19. Need to tweak the Authentication flow and add 2 clients. Lets tweak the Authentication flow as shown below for 'First Broker Login'. Remember, this is the "First Login Flow" that is chosen while defining the Identity Provider (Step 8). FOLLOW THE SETTINGS PRECISELY AS SHOWN BELOW:
    
    
    
    
20. Similarly, choose the "Browser" Flow Values PRECISELY as shown below: 
    
    
    
    
21. Done with adding OKTA SSO. For IAM, all the changes done above will only Enable SSO for IAM Login. This is how IAM would look like now:
    
    
    
    
22. No need to restart IAM service. The text on the button says Okta Demo Login which is nothing but the Display Name of the OAuth Provider. If not given, then the button text would be just the alias name (Refer Step #8)
    
    
23. Click on the Okta Demo Login button, and would see OKTA Login page come up. Login with the Okta ID and authenticate the user. Notice the OIDC Provide Name OKTADEMO appears on the Okta Login screen. Once successfully authenticated, OKTA Redirects to the IAM Application.
    

For Azure, see DevTest - Azure SSO Configuration Guide

For Google, see DevTest - Google SSO Configuration Guide