Appendix C - Creating a SSO and MFA OpenID Connect Integration with Okta

Owned by Svetlana Sheptiy
Last updated: May 15, 2024 by Andrew Madge
8 min read

As a general description, the process to configure Okta support for Snare Central involves the following steps:

  1. Configure a new Integration for Snare Central in the Okta portal. This requires administrative rights with in the Okta portal.

  2. Configure the Sign-In redirect URL in the providers portal. This URL is provided in the “Sign-In redirect URL” field in this section of the Configuration Wizard.

  3. Configure the groups that will have access to Snare Central in the Okta portal. The name of the groups must start with the “Default Group Prefix” show in this section of the Configuration Wizard (Snare_Central.).

  4. Once the new integration has been created, get the required credentials. In the case of Okta these credentials include: Domain, Client ID, Client Secret and API Token

  5. With the above credentials, add a new IAM Service Provider in the Configuration Wizard by clicking the Add button

  6. Retrieve the groups from Okta by clicking the “Retrieve Groups” button.

  7. Once the groups have been obtained from Okta, the Administrator needs to grant them permissions in the “Manage Access Control” tool.

  8. Logout from Snare Central and a new “LOGIN WITH OKTA” button will be available in the login page for users defined in the Okta portal.

 

A detailed description on each of the above steps follows.

NOTE: Through out this document we use xx.xx.xx.xx to represent the IP address of your Snare Central server however the FQDM (Full Qualified Domain Name) of the server can be used instead.

1. Configure a new Integration for Snare Central in the Okta portal

Okta allows you to enable Single Sign On (SSO) and Multi Factor Authentication (MFA) using OpenID Connect authentication for your applications. This guide explains how to create a new OpenID Connect integration with Okta.

Before you begin, you need a verified Okta account and a registered application. If you don't have these, please follow the appropriate steps in the Okta documentation.

Snare will use an Okta flow called Redirect authentication: A user sign-in flow that grants authentication control to Okta by redirecting to an Okta hosted sign-in page. This flow uses open protocols like OAuth 2.0 and SAML.

So the first thing that is needed is to configure your Okta environment.

NOTE: The following steps require that the verified Okta account to have one of

Super Admin, App Admin or Org Admin permission.

 

2. Navigate to the Okta Dashboard

Log in to your Okta account and navigate to the Okta dashboard. The dashboard displays all the applications in your organization.

3. Create a New OpenID Connect Integration (Application)

To create a new OpenID Connect integration, navigate to the "Applications" menu and click on "Create App Integration."

 

From the "Create a New Application Integration" dialog, select "OIDC - OpenID Connect", and “Web Application” and click on the "Next" button.

 

4. Configure the Integration (Configure the Sign-In redirect URL)

After creating the new OpenID Connect integration, you need to configure it. The following are the parameters that you need to fill out:

  1. "App Integration Name": Snare Central

  2. “Grant Type”: “Client Credentials” and “Authorization Code”

  3. “Sign-in redirect URIs”: https://xx.xx.xx.xx/login.php/api/v1/sign-in-callback

  4. “Assignments – Controlled access”: Everyone

Once you fill out all the required parameters, click on the "Save" button to save the integration.

5. Retrieve Your Client Credentials

After saving the integration, Select your new integration and navigate to the "General" tab. Here, you can find your "Client ID" and "Client Secret." Copy these credentials and save them to a secure location.

Click on “Require PKCE as additional verification”.

 

6. Configuring CORS settings for your OpenID Connect integration with Okta

To configure CORS settings for your Okta integration, navigate to the Security → "API" page in the Okta Console and click on the "Trusted Origins" menu. From there, you can add your application's URLs to the whitelist. Add https://xx.xxx.xx.xx in the Origin URL and select “Cross-Origin Resource Sharing” and “Redirect” checkboxes and save

 

NOTE: Make sure to enable CORS settings only for the required domains to prevent unauthorized access to your Okta account.

 

7. Test the Integration

To test the integration, navigate to the "Assignments" tab and assign users or groups to your OpenID Connect application. Once you assign users, they can log in to your application using their Okta credentials.

Congratulations, you have successfully created a new OpenID Connect integration with Okta.

8. Create an API token

NOTE: API tokens have the same permissions as the user who creates them, and if the user permissions change, the API token permissions also change.

See the section above on Privilege level, regarding the use of a service account when creating an API token, to specifically control the privilege level associated with the token.

To create an API token, follow these steps:

  • In the Admin Console, select Security > API from the menu and then select the Tokens tab.

  • Click Create Token.

  • Name your token and click Create Token.

  • Record the token value. This is the only opportunity to see it and record it.

 

 

9. Configure app-level MFA

  1. In the Admin Console, go to Applications.

  2. Click the Sign On tab.

  3. You can create a rule or modify an existing one to configure MFA on the app. Click Add Rule to create a rule, or click the edit rule pencil icon in the Actions column for the rule you want to modify. The App Sign On Rule dialog box appears.

  4. Enter a rule name in Rule Name.

  5. Optional. In the PEOPLE section, select the users and groups to whom this rule applies.

    • Users assigned this app: Select this option to assign this rule automatically to all users who are assigned to this app from the app's Assignments tab.

    • The following groups and users:

      • Groups: Enter the names of groups to whom you want to apply this rule.

      • Users: Enter the names of individual users to whom you want to apply this rule.

      • Exclude the following users and groups from this rule: Select this option to add groups and users that you want to exclude from this rule. The following options appear:

        • Excluded Groups: Enter the names of groups that you want to exclude from this rule.

        • Excluded Users: Enter the names of individuals that you want to exclude from this rule.

  6. Optional. In the LOCATION section, select an option to require MFA to access to the app based on the user's network zone.

    • Anywhere: Require MFA to access the app from users who sign in from any network zone.

    • In Zone: Require MFA to access the app from users who sign in from network zones that you specify.

    • Not in Zone: Require MFA to access the app from users who sign in from outside of the network zones that you specify.

    • Network Zones:

      • All Zones: Select this option to apply the In Zone or Not in Zone option to users who sign in from all network zones.

      • Click in the field and enter the names of network zones to apply to the In Zone or Not in Zone option.

  7. Optional. In the CLIENT section, select the platforms to which you want to apply this rule.

  8. In the ACCESS section, select whether sign-on to the application is allowed or denied from the drop down. Select an action:

    • Prompt for re-authentication: Require users to re-authenticate when they try to access the app.

    • Prompt for factor: Require that users authenticate with a specific factor when they try to access the app.

    • Multi-factor Settings: If you haven't configured your factor types yet, you can click this link and configure them. Don't click this link if you've already configured your factor types.

  9. Click Save.

https://help.okta.com/en-us/Content/Topics/Security/MFA_App_Level.htm

10. Create Groups

  1. In the Admin Console, go to Directory → Groups.

  2. Add the groups that will have access to Snare Central. The name of each group MUST start with the group prefix defined in the IAM section of the Configuration Wizard in the Snare Central server (default is Snare_central.).

11. Add a new IAM Service Provider in the Configuration Wizard

Login as Administrator in the Snare Central server and go to the “Administrative Tools” → “Configuration Wizard” → “Identity and Access Management Setup” and click on the Add button.

 

Fill the form with the required values from the Okta page.

 

12. Retrieve the groups from Okta

Select Okta service provider and click the “Retrieve Groups” button.

 

13. Grant access rights to Okta groups

Go to the “Manage Access Control” tool under the “Administrative Tools” menu and assign access to Reports and Snare pages as needed for the group retrieved from Okta.

 

14. Login with Okta credentials

Snare Central uses Oktas Redirect Authentication Model. A user sign-in flow that grants authentication control to Okta by redirecting the user browser to the Okta hosted sign-in page. This flow uses open protocols like OAuth 2.0 and SAML.

 

 

The user is redirected to Okta for credential verification. The user is then provided authenticated access to Snare Central. When a user signs in, they're redirected to Okta using a protocol OpenID Connect. After the user signs in (based on policies configured in Okta), Okta redirects the user back to the Snare Central where group verification is carried out and if correct, the user will be granted access with its group authorization level.