- Getting Started
-
Administration Guide
- Get Started with Administering Wyn Enterprise
- Configuration Settings
- Account Management
- Security Management
- System Management
- Document Management
- How To and Troubleshooting
- User Guide
- Developer Guide
OKTA
OKTA is an authorization server as well as a resource server that provides authentication and authorization solutions. OKTA supports SSO for Wyn users to access their accounts using the OKTA credentials. OKTA uses OAuth 2.0 and OIDC (OpenID Connect) to perform authentication. OAuth 2.0 is used to delegate authorization and, OIDC is used to retrieve and store authentication information. For more information on OAuth and OIDC, see the OpenID Connect & OAuth 2.0 API help article from OKTA.
Before configuring, make sure that you have installed the Wyn Enterprise application version 6.0 or above and have access to the OKTA account. Click here to sign up for an OKTA developer account.
Follow the below instructions to configure SSO with OKTA Application Integration Service,
Configuration Node Management
Add the SSO configuration node to the Wyn configuration file, "Wyn.conf" and ensure the following,
AuthenticationProtocol option must be OIDC.
Scheme is optional. In case, you do not specify the Scheme option in the configuration file, the value of this option will be set to OpenIdConnect .
Authority option is the domain URL of your OKTA organization, you can obtain it from the address bar of the browser.
ClientId and ClientSecret options are mandatory and are available in your OKTA application settings.
CallbackPath is optional and if not specified, the default value of this option is set as /signin-oidc. Ensure that the CallbackPath matches the Redirect URI specified in your OKTA application.
For OKTA, the ResponseCode option must be code.
<Server> <Authentication> <SSO> <AuthenticationProtocol>OIDC</AuthenticationProtocol> <Scheme>OKTA</Scheme> <AllowIncognizantUser>true</AllowIncognizantUser> <Authority>https://dev-03535523-admin.okta.com/</Authority> <ClientId>{your_client_id}</ClientId> <ClientSecret>{your_client_secret}</ClientSecret> <ResponseType>code</ResponseType> <Scopes> <sys:string>openid</sys:string> <sys:string>profile</sys:string> <sys:string>email</sys:string> </Scopes> <EnableSLO>true</EnableSLO> <ClaimMappings> <sys:Item> <Key>sub</Key> <Value>sub</Value> </sys:Item> <sys:Item> <Key>status</Key> <Value>status</Value> </sys:Item> <sys:Item> <Key>lastlogin</Key> <Value>last_login</Value> </sys:Item> <sys:Item> <Key>lastupdated</Key> <Value>last_updated</Value> </sys:Item> </ClaimMappings> </SSO> </Authentication> </Server>
Single Logout (SLO)
To disable SLO from the OKTA authentication server when users log out from the Wyn Enterprise application, set the SSO:EnableSLO property to False. By default, this value is set to True.
<Server>
<Authentication>
<SSO>
...
<EnableSLO>false</EnableSLO>
...
</SSO>
</Authentication>
</Server>
See the Additional SSO Settings section of the Configure Single sign-on help doc for information on configuring the cookies and incognizant user login options.
Note the following,
On finishing the above configurations, restart the Wyn service. Now, you can log in to the Wyn Enterprise application using your OKTA account.
Since the OIDC support of OKTA is not the same as other services, the logout function disrupts when SSO is configured with the OKTA application. This needs to be fixed in the Wyn Enterprise application to support the logout function.