Using Okta as External Identity Provider

If your organization is using Okta for identity and access management, you can configure the FintechOS Identity Provider to act as an identity broker, allowing users to log in to FintechOS applications and services using their existing Okta credentials.

1 Create an Okta App Integration for the FintechOS Identity Provider

Sign in to your Okta admin console with your administrator account and create an app integration for the FintechOS Identity Provider. The Sign-in redirect URI must match the identity provider alias you will set up for Okta in the FintechOS Identity Provider and has the following structure:

https://{HPFI base URL}/auth/realms/{realm name}/broker/{alias}/endpoint
E.g.: https://myHpfi.myDomain/auth/realms/FintechOSRealm/broker/Okta/endpoint

Make a note of the following Okta settings which you will have to provide in the FintechOS Identity Provider for integration:

  • Okta client ID (from the Okta app, General tab)
  • Okta client secret (from the Okta app, General tab)
  • Well-known configuration - This is an endpoint that returns the OpenID Connect metadata related to the Okta authorization server and has the following URL template:
    https://{oktaDomain}.okta.com/oauth2/{oktaServer}/.well-known/openid-configuration

2 Set up the Okta server as Identity Provider in the FintechOS Identity Provider

  1. Log in to the FintechOS Identity Provider admin console and select your FintechOS realm.
  2. Open the Identity Providers section.
  3. From the Add provider... drop down, select OpenID Connect v1.0.
  4. Fill in the following configuration settings for the Okta server.
    SettingValue
    AliasIdentity provider alias you set for the Okta server (see 1 Create an Okta App Integration for the FintechOS Identity Provider).
    Display NameUser friendly name for the Okta server.
    EnabledON
    First Login Flowfirst broker login
    Sync Modeforce
    Authorization URLhttps://{oktaDomain}.okta.com/oauth2/{oktaServer}/authorize
    Token URLhttps://{oktaDomain}.okta.com/oauth2/{oktaServer}/token
    Logout URLhttps://{oktaDomain}.okta.com/oauth2/{oktaServer}/logout
    User Info URL

    https://{oktaDomain}.okta.com/oauth2/{oktaServer}/userinfo

    Client AuthenticationClient secret sent as post.
    Client IDUse your Okta client ID (from the Okta app, General tab).
    Client SecretUse your Okta client secret (from the Okta app, General tab).
    Issuer

    https://{oktaDomain}.okta.com/oauth2/{oktaServer}

    Default ScopesScopes to be sent when asking for authorization. Default: openid email.
    Promptunspecified
    Validate SignaturesON
    Use JWKS URLON
    JWKS URLhttps://{oktaDomain}.okta.com/oauth2/{oktaServer}/keys
  5. Click Save.

3 Map Okta User Groups to FintechOS Security Roles

When users log in, information about their security roles must be retrieved from the Okta server. For this purpose, you must set up an automatic mapping between Okta user groups and FintechOS Identity Provider security roles.

Set Up the ID Tokens Sent by Okta to Include Security Groups Information

You can include user groups information in the ID tokens sent by Okta as an optional claim. To do so, in the in the Okta portal:

  1. Hover over the API menu item and select Authorization Servers.
  2. Select your Okta authorization server.
  3. Open the Claims tab and click Add Claim. Fill in the following fields:
    FieldValue
    Namegroups
    Include In token typeID Token | Always
    Value TypeGroups
    FilterRegex | .*
    Disable claimUncheck
    Include InAny scope

  4. Click Save.

Define Mappings between Okta Groups and FintechOS Security Roles

  1. Log in to the FintechOS Identity Provider admin console and select your FintechOS realm.
  2. Open the Identity Providers section.
  3. Select the Okta server you added earlier (see 2 Set up the Okta server as Identity Provider in the FintechOS Identity Provider).
  4. Open the Mappers tab.
  5. For each security role, do the following:
    1. Click Create.
    2. In the Add Identity Provider Mapper window, fill in the following fields:
      SettingValue
      NameEnter a descriptive name for the mapper.
      Sync Mode Overridelegacy
      Mapper TypeClaim to Role
      Claimgroups
      Claim ValueName of the Okta group set up on the Okta server.
      RoleSelect the corresponding FintechOS security role.
    3. Click Save.

4 Disable User Account Editing in Innovation Studio

Users who authenticate in FintechOS Platform via an external identity provider cannot have their user account information edited in Innovation Studio as modifications cannot be propagated back to the external identity provider.

In order to protect the user name, first name, last name, display name, email, and phone number fields, as well as the password reset button in the Innovation Studio interface, a hardcoded ftos-third-party-brokered-auth-provider attribute mapping must be provided by the FintechOS Identity Provider for such user accounts:

  1. Log in to the FintechOS Identity Provider admin console and select your FintechOS realm.
  2. Open the Identity Providers section.
  3. Open your external identity provider and select the Mappers tab.
  4. Click Create to create a new mapper.
  5. Fill in the following fields:
    • Name - Provide a name for your mapper
    • Sync Mode Override - force
    • Mapper Type - Hardcoded attribute
    • User attribute - ftos-third-party-brokered-auth-provider
    • User attribute value - Any non-null value will work, but it is recommended to use a value that is meaningful for your external identity provider, such as AzureAD or Okta.
  6. Click Save.