Configure OKTA Authorization Server for SRD API - Intergraph Smart Reference Data - Installation & Upgrade - Hexagon

Intergraph Smart Reference Data Installation (10.2)

Language
English
Product
Intergraph Smart Reference Data
Search by Category
Installation & Upgrade
Smart Materials/Smart Reference Data Version
10.2

Before you start to configure, it is assumed that an OKTA user account is created and the user is logged into OKTA as an administrator.

The steps for configuring OKTA Authorization Server are listed below:

  1. Create the OKTA Application (client).

  2. Create a user in OKTA.

  3. Create an OKTA Authorization Server (AS) and assign the OKTA Application to it.

  4. Edit the SRD API Web.config and set the Audience and Issuer URI gathered from OKTA.

Create an OKTA Application

OKTA refers the clients as applications. You must grant the application access to an Authorization Server.

  1. Click the Applications tab and select Applications.

  2. Click Add Application.

    Imag1-Applications

  3. Click Create New App.

    Create New App

  4. Select OpenID connect as Sign on method for the Native app.

  5. Click Create.

    Image2-OpenID Connect

  6. Enter the Application label and add the Login and Logout URIs including any local host redirects for dev/test.

  7. Select the Authorization Code check box.

  8. Select the Refresh Token check box.

    Image3-create okta application

  9. Click Add URI and type the Login redirect URI.

    The redirect URl must be in the below format: https://<application_server_name>.<domain_name>/<SRD_Service_Virtual_directory >/TestHTMLAccess.htm

  10. Click Save. The Client ID will be auto-populated.

    Client Creds

  11. Make a note of the Client ID.

Add New Users to OKTA

  1. Click the Dashboard tab and select Dashboard.

    Image1- add new users

  2. Click the Add people hyperlink.

  3. In the People screen, click Add Person.

    Image2- add new users

    SHARED Tip You can also navigate to People screen from the Directory tab.

  4. Enter the required data to create a new user profile.

  5. Click Save.

    Image4- add new users

    The Username can be same as the Primary email.

Assign the application to user

  1. Open OKTA application.

  2. Click the Assignments tab.

  3. Click Assign and select Assign to People.

    Image1-Assign applications

  4. Search for appropriate group /people to assign.

    Image2-assign

  5. Click Assign.

    image3-assign

  6. Click Save and Go Back.

    image4-assign

  7. Click Done.

  8. Click the Assignments tab.

    image5assign

Add an Authorization Server

  1. Click the Security - API tab.

  2. Click Authorization Servers tab.

  3. Click Add Authorization Server.

  4. Enter the Name, Audience, and Description.

    • You must enter the GUID (Globally Unique Identifier) in Audience. To generate the GUID, open a PowerShell window and type the command below: [guid]::NewGuid().ToString().ToUpper() | clip

    • Paste (CTRL-V) this value in Audience .

    • Make a note of the GUID as this is useful to add an additional scope to the Authorization server in the next procedure.

    • The Audience should always be in upper case.

  5. Click Save.

    Add an Authorization Server

Set Server Custom Scopes

This procedure allows you to setup the server custom scopes after the Authorization server is created.

  1. Click the Scopes tab.

    Image1-Scopes

  2. Click Add Scope and enter the generated GUID in Name.

    Image2-Scopes

    Do not select the Set as a default scope check box.

  3. Click Create.

  4. Click Add Scope and enter the value ingr.api.

    Image3-Scope

    Do not select the Set as a default scope check box.

  5. Click Create.

    Image4-Scope

Set Server Custom Claims

  1. Click the Claims tab.

    Image1-Claims

  2. Click Add Claim.

  3. Enter the following Names and Values as listed below:

    • sub : (appuser != null) ? appuser.userName : app.clientId

    • ingr.session_id : String.replace(String.replace(String.replace(Time.now(), ":", ""), "-", ""), ".", "")

    • Name : String.join("", user.firstName, user.lastName)

      Image2-Claims

  4. Click Create.

  5. Click the Access Policies tab.

    Image3-Claims

  6. Click Add New Access Policy.

    Image4-Claims

  7. Enter a policy Name and Description.

  8. Select The following clients option and type the client name.

  9. Click Create Policy.

    Image5-Claims

  10. On the Access Policy tab, click Add Rule.

    Rules allow for configuration of the token expiration based on the selected Grant Type, User and Scope.

  11. Enter Rule Name.

  12. Enter all the required details.

  13. Click Create Rule.

    Image6-Claims

  14. Click the Settings tab. Make a note of the Audience and Issuer information. This information is required to configure the SRD Web API.

    Image7-Claims

Configure SRD API Service

  1. Go to the server where the SRD API Service is installed.

  2. Edit the Web.config file using a text editor running as administrator.

  3. Set the audience and issuer values copied from the OKTA Authorization Server Settings page, and the service id value used as the service id scope value for the Okta Authorization Server.

    Configure SEMServer Web.config

For this example the issuer URI of the new OKTA Authorization Server was:

" https:// {OKTA URL}/oauth2/{authorizationServerId}"

The Service Id maps to the Audience set for the server, which was the GUID value you generated during the Authorization Server configuration, which is listed below:

id=" 716206D4-C5B4-4721-9DD7-94D8311FDA0F "