Okta OIDC integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

OIDC (OpenID Connect) is an open standard protocol that provides a way to authenticate and authorize access to applications without giving the application your login credentials.

Arculix by SecureAuth, offers a simple method for adding single sign-on (SSO) MFA to Okta with its OIDC solution.

Prerequisites

Configured Arculix instance and user account with administrative privileges for Arculix.
Configured Arculix LDAP Agent.
For more information, see the Arculix LDAP Agent deployment guide.
User account with administrative privileges for Okta.

Add OIDC application in Arculix

In this section, you'll configure Arculix to act as an OIDC Provider to authenticate the user and grant access to Okta.

Log in to Arculix with an administrative account and go to Applications.
Click Create New Application.

In the New Application form, on the General tab, set the following configurations:

Name	Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs. For example, Okta-OIDC.
Type	Set to OpenID Connect Relying Party Application [oidc_client].
Out of Band Methods	Select the allowed methods end users can choose to approve MFA requests. For example, Arculix Mobile app (push notifications), SMS, or Security Key.
Message for MFA Requests	Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

Select the OIDC Configuration tab, and set the following configurations:

Login
Login URL	Optional. Enter the login URL for your Okta instance.
Redirect URLs	Enter the redirect URL (Redirect_uri) that Arculix will use to send back the authorization code. You can register more than one redirect URL (Redirect_uri). For Okta it should be: `https://tenant.okta.com/oauth2/v1/authorize/callback`
Client Settings
Application Type	Set to Web application.
Grant Type	Set to Authorization code – User logs in to the application, then the application redirects the flow to Arculix for authentication. After authentication, Arculix returns an authorization code to the application, then exchanges the code for an access token and an identity token.
Authentication Method	Set to Post – Authenticates using the HTTP POST method, also known as the forms post response mode.
Scopes and Claims
Scopes	Select the following scopes: profile – Allow access to user's profile information like postal address and phone number. email – Allow access to user's email address.
Session
Access Token Timeout	Set how long the access token is valid for before it times out. By default this set to 1 minute.
Refresh Token Timeout	Set how long the refresh token is valid for before it times out and requires the user to reauthenticate. By default this is set to 1 day.

Save your changes.
Edit the configured OIDC application and select the Advanced tab.
Copy the UID and Secret values.
You will need these for the Okta configuration.

Okta configuration

In this section, you will configure the Okta application that supports OIDC.

Log in to Okta with an administrator account.
In the left navigation, go to Identity Providers, select Add Identity Provider then click OpenID Connect.

Set the following configurations.

General Settings
Name	Enter a name for the OIDC application.
IdP Usage	Set to SSO only.
Scopes	Set to the same scopes that you selected earlier in the Arculix OIDC application. For example, set to email, openid, and profile.
Redirect Domain	Set to Dynamic (based on request domain).
Client Details
Client ID	Paste the UID value copied from Okta OIDC application in Arculix.
Authentication type	Select Client Secret.
Client Secret	Paste the Secret value copied from the Okta OIDC application in Arculix.
Authorize requests	Select or clear the Enabled signed requests check box.
Proof key for code exchange (PKCE)	Select the Require PKCE as additional verification check box.

In a browser, open the well-known endpoint URL in this format:

https://oidc.acceptto.com/<organization>/oauth2/v1/.well-known/openid-configuration

The Endpoints page appears with the following URLs:

Issuer	The URL identifying the issuer of this endpoint. For example, `https://oidc.acceptto.com/{organization}/oauth2/v1/`
Authorization endpoint	The authorization endpoint URL. For example, `https://oidc.acceptto.com/{organization}/oauth2/v1/auth`.
Token endpoint	The token endpoint URL. For example, `https://oidc.acceptto.com/{organization}/oauth2/v1/token`.
JWKS endpoint	The JSON Web Key Set (JWKS) endpoint URL. This validates the the JWT tokens using JWKS for this tenant. For example, `https://oidc.acceptto.com/{organization}/oauth2/v1/jwks`.

On the Identity Providers page, select the Routing rules tab and click Add Routing Rule.
Add a rule to enable Arculix OIDC in the login page.
Save your changes.

Test your OIDC application integration

Go to the login URL for your Okta application.
Click Sign in with Arculix.
You will be redirected to the Arculix SSO page.
After successful authentication, select your preferred MFA method to approve access to the Okta application.
You'll be redirected to the Okta dashboard home page.

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.

In this section: