Therefore™ Help

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Printable Version
Save Permalink URL

Tutorials > Solution Designer > Authentication Methods > Administrative Tasks

Okta Integration with Therefore™

Info

Note: Usernames/passwords do not need to be created in Therefore™ when using Okta as a cloud based user directory. Therefore™ takes the users and groups defined in Okta and authenticates the user in Okta only, it then logs into Therefore™ using OpenId Connect tokens.

1.Preparation in Okta:

For the OpenId Connect token, we need to create a new Client ID in the Okta Tenant. This is a required prerequisite for this feature to work. Below are the step-by-step instructions to create such a client application for Therefore™.

SD_T_AuthMeth_AdminTasks_Okta_001

2.Within Okta, build your directory by creating users and user groups and assigning them accordingly.

3.Create an API Token in Okta.

SD_T_AuthMeth_AdminTasks_Okta_002

4.Name the token (e.g. ‘Therefore’) and click ‘Create Token’.

SD_T_AuthMeth_AdminTasks_Okta_003

5.Copy the generated token provided in the dialog.

SD_T_AuthMeth_AdminTasks_Okta_004

Note

It is strongly advised to copy the token value immediately for later use, since the original token value cannot be accessed or copied again.

6.Create a Client Application:

SD_T_AuthMeth_AdminTasks_Okta_005

7.Configure the platform for the application.

SD_T_AuthMeth_AdminTasks_Okta_006

8.Configure the application settings.

sd_t_authmeth_admintasks_okta_007a

9.Copy the generated Client ID provided in the dialog and select Use PKCE under Client authentication.

SD_T_AuthMeth_AdminTasks_Okta_008

10. Establish a connection in the Therefore™ Solution Designer by double-clicking on the External User Directories node. Then click Add and select the option Okta.

SD_T_AuthMeth_AdminTasks_Okta_009

11. Enter the Okta domain name and the API Access Key, which was displayed when the client application was created. The Therefore Client Id is the ID of the client application created. Additional Domains are required if the Okta directory also contains users from other domains. For example: if the directory contains users like testuser@therefore.okta.com, and also users like test@ontherefore.com, ontherefore.com must be entered in the Additional Domains field. Click OK to establish the connection.

SD_T_AuthMeth_AdminTasks_Okta_010

12. Once the connection has been established, the new domain can be accessed from user or group selection dialogs to select users and groups and grant the appropriate permissions.

SD_T_AuthMeth_AdminTasks_Okta_011

13. When connecting to Therefore™ through an installed client application, the connection settings need to be configured. For Login using, select the option for Okta, then click Settings.

SD_T_AuthMeth_AdminTasks_Okta_012

14. The Therefore Client Id must be set to the same application Id created in the preparation step, which was also added to the configuration in the Therefore™ Solution Designer. The Domain name needs to be set to the corresponding Okta domain name.

Info

The default client UI for logon is web-based. This is specifically required for MFA (multi-factor authentication). If no MFA is used, a user can also select to use the traditional, non-web login dialog by setting a registry key as shown below. However, this approach is not recommended.

HKEY_CURRENT_USER\Software\Therefore\Client\EnableSSOWebUi = 0

This registry value disables the web-based login dialog. If MFA is enabled, logging in will always fail in this case.

SD_T_AuthMeth_AdminTasks_Okta_013