Use Okta as the authorization server (VDS Application Server) - Integration - Ver. 3.7.0.3 - Administration & Configuration - Hexagon

HxGN VDS Install and Setup
Language
English
Product
Integration
Search by Category
Administration & Configuration
VDS Version
3.13

Register the Visualization Data Service Application Server as an ‘Application’.

  1. Select the Applications tab and click Add Application.

  2. In the Create New Application screen, select OAuth Service and click Create.

  3. In the General Settings section, enter an Application Name such as ‘VDS Client’ and click Save.

  4. Note the Client ID for the next step.

  5. In the application Web Client, find the Client Application object created earlier (or find the default object that is already in the database) and update it.

  6. Update the Client application ID to match the Client ID value from Okta.

  7. In Okta, find the client application site’s Authorization Server (Security > API > Authorization Servers), select the Access Policies tab, and click Add New Access Policy.

  8. In the Add Policy dialog, set the policy as shown in the following example:

    Name

    Description

    Assign to

    VDS Client Access Policy

    Access policy for VDS Client

    VDS Client

  9. Click Create Policy.

  10. Click Add Rule.

    Rules allow for the configuration of the token lifetime and expiration.

  11. In the Add Rule dialog, set the rules as shown in the following example:

    Option

    Detail

    Rule Name

    VDS Client Token Rule

    IF Grant type is Client acting on behalf of itself

    Client Credentials

    IF Grant type is Client acting on behalf of a user

    AND User is

    Any user assigned the application

    AND Scopes requested

    Any scopes

    THEN Access token lifetime is

    1 Hour

    AND Refresh token lifetime is

    Unlimited

    BUT will expire if not used every

    7 Days

  12. Click Create Rule.

    Make sure all client application, VDS APIs, and all access policies are active. Inactive access policies can result in errors when you try to view the model.

Okta Components

When you complete the Okta setup for both your VDS Web and Application servers, your Okta system consists of the components listed below. For detailed installation and setup information, see your Okta documentation.

  • Local Okta Users:

    • Users created as necessary for access to the application web client.

    • One specific user created for user impersonation with a matching user defined in the client application that has your required role assignments.

  • Local Okta Group for the client application user authentication with all required Okta users included in the group.

  • Authorization Server for the client application site with access policies added.

  • Authorization Server for the VDS Web Server with:

    • Access policies that are added for the client application

    • A matching VDS Connection object defined in the client application.

  • Application for the client application using Proof Key for Code Exchange (PKCE) authentication with the local Okta group assigned.

  • Application for the VDS Application Server using the Client Credentials authentication flow with:

    • The local Okta group assigned.

    • A matching Client Application object defined in the client application.