Connect to Okta

When connecting Okta as an external identity provider to 10Duke Enterprise for user authentication, configure 10Duke Enterprise as a client in Okta.

The steps below guide you how to define an OpenID Connect (OIDC) client connection for 10Duke Enterprise. For more detailed instructions, see Okta’s documentation for creating app integrations.

Note: During the process, make sure to copy and store (temporarily) details from the Okta admin console as instructed below.

You need the details later when you define the connection to Okta at the 10Duke Enterprise end using SysAdmin.

See also information on Okta’s OpenID Connect & OAuth 2.0 API in Okta’s documentation.

If your client application authenticates users directly with Okta, it’s not necessary to configure 10Duke Enterprise as a client in Okta. However:

  • When you define the connection to Okta in SysAdmin, you need either the public key in Privacy Enhanced Mail (PEM) format or the jwks_uri value in the identity provider’s OIDC Discovery document. Both of these are typically available in the identity provider’s user interface.

  • By default, 10Duke Enterprise requires that when Okta provides your client application with an ID token, it contains an aud value that matches the base URL of your 10Duke Enterprise deployment. This may require some configuration in Okta. If needed, contact the 10Duke Integration Support team.

Before you start

By default, 10Duke Enterprise requires that the external identity provider returns at least the ID, email address, first name, and last name of the authenticated user. If this is not possible, a configuration change in 10Duke Enterprise is required. Contact the 10Duke Integration Support team.

Step 1: Create 10Duke Enterprise as an app integration

In the Okta admin console, create 10Duke Enterprise as an app integration in Okta:

  1. Go to applications and start creating an app integration.

  2. Select OpenID Connect as the sign-in method and Web application as the application type.

  3. Define the connection settings:

    • Define a name for the 10Duke Enterprise app integration.

    • In grant type, select the authorization code flow.

      If you see an option to use Proof Key for Code Exchange (PKCE), do not select it.

    • In the sign-in redirect URI, enter https://<your 10Duke Enterprise instance>/user/oauth20/cb.

    • In the sign-out redirect URI (optional), enter https://<your 10Duke Enterprise instance>/user/oidc/idp-logout.

    • In the trusted origins settings, add https://<your 10Duke Enterprise instance>.

  4. In the assignment settings, define which Okta users or user groups the 10Duke Enterprise application can authenticate using Okta.

  5. Save to create the app integration.

Step 2: Create a client secret

  1. Go to the general settings of the new app integration and open the settings for editing.

  2. Before proceeding, copy the client ID shown on the page (OAuth client_id, for Client key in SysAdmin).

  3. Create a client secret, and copy the generated secret shown on the page (for Client secret in SysAdmin).

  4. Save your changes.

Now the 10Duke Enterprise app integration is ready in Okta.

Next steps

Define the connection to Okta in 10Duke SysAdmin.

On this page