# Configure Okta

# Terraform

We use the Okta Terraform Provider to automatically configure the Okta Org. Refer to the terraform section for more information.

If you're more comfortable configuring the org manually, Follow the steps below:

# Manual Config

# 1. Add SUPERUSERS Group and Role

# Add A Group:
  • Name: SUPERUSERS
  • Description: (optional)
# Add An Administrator Role:
  • From Security > Administrators, Click [Add Administrator Group]
    • Grant administrator role to SUPERUSERS
    • Administrator roles: Super Administrator

# 2. Add byob-dashboard app

  • Application type: Single Page App (SPA)
  • Allowed grand types: Authorization Code
  • Login redirect URIs: http://localhost:8081/oauth/callback
  • Logout redirect URIs: http://localhost:8081
  • Client authentication: Use PKCE (for public clients)

# 3. Add okta-dac app

  • Application type: Single Page App (SPA)
  • Allowed grand types: Authorization Code
  • Login redirect URIs: http://localhost:8080/oauth/callback
  • Logout redirect URIs: http://localhost:8080
  • Client authentication: Use PKCE (for public clients)

# 4. Add custom app profile attribute

Add custom profile attribute to the okta-dac application App Profile

NOTE

The APPLICATION_ENTITLEMENT_POLICY feature flag must be enabled for the Okta Org

This feature flag, when enabled allows configuration of app profile attributes that are tied to a Group. Meaning, when you set the value of the attribute, you set it to the Group assigned to the app, as opposed to directly setting it against a user. All users whom are members of the group will have the same value for said attribute.

  • Data type: string array
  • Display name: Tenants
  • Attribute type: Group
  • Group Priority: Combine values across groups

alt text

# 5. Add custom dac.admins scope to the default AuthorizationServer

alt text

# 6. Add custom claims

Setup default groups claim:

claim expression scope token
groups groups matches .* Any id_token & access_token

Setup claims bound to the custom scope dac.admin with the following values:

claim expression scope token
tenants appuser.tenants dac.admin id_token & access_token

alt text

# 7. Configure Access Policies

  1. Add a policy:
    • Name: (e.g.) DAC Users (You can choose your own name)
    • Assigned to clients: okta-dac
    • Add a rule: IF Grant type is Authorization Code AND User is Any user assigned the app AND Scopes requested = Any Scopes THEN No inline hook AND Access token lifetime is 1 Hours AND Refresh token lifetime is unlimited alt text
  2. Update the default policy:
    • Name: Can leave as is. We decided to name it Everyone Else
    • Assigned to clients: All Clients
    • Configure the default policy rule: IF Grant type is Authorization Code AND User is Any user assigned the app AND Scopes requested = [openid, profile, email, address, phone, offline_access] THEN No inline hook AND Access token lifetime is 1 Hours AND Refresh token lifetime is unlimited
      alt text

# 8. Add CORS

  • Add a Trusted Origin: http://localhost:8081, Type=CORS
  • Add a Trusted Origin: http://localhost:8080, Type=CORS

# 9. Enable OAuth grants

alt text

  1. Navigate to the okta-dac application
  2. In the Okta API Scopes tab, and Grant the following scopes:
    • okta.groups.manage
    • okta.users.manage

# 10. Update User Activation Email Template

alt text

Both okta-dac and byob-dashboard implement a custom user welcome page. Update the User Activation email template:

  • Replace ${activationLink} (shown above) with http://localhost:8081/activate/${activationToken}
    • This will send users to byob-dashboard (i.e. port 8081) on a custom "welcome page" (i.e. on the path /activate)
  • If you're only running okta-dac then replace it with http://localhost:8080/activate/${activationToken} (or appropriate port or base_url of the deployed application).
Last Updated: 6/24/2020, 2:47:39 PM