OKTA-913556: Express Configuration #5407
Conversation
Acrolinx scoreA minimum Acrolinx Score of 80 is required. The total score is an average of the subscores. Select Total score to review the Acrolinx scorecard for your article. Try to increase your individual scores, for example: Correctness. Your content will be clearer and more consistent.
|
janugeethakumari-okta
changed the title
Acrolinx scoreA minimum Acrolinx Score of 80 is required. The total score is an average of the subscores. Select Total score to review the Acrolinx scorecard for your article. Try to increase your individual scores, for example: Correctness. Your content will be clearer and more consistent.
|
|
Netlify Preview URL for the changes: https://preview-5407--reverent-murdock-829d24.netlify.app |
Acrolinx scoreA minimum Acrolinx Score of 80 is required. The total score is an average of the subscores. Select Total score to review the Acrolinx scorecard for your article. Try to increase your individual scores, for example: Correctness. Your content will be clearer and more consistent.
|
Acrolinx scoreA minimum Acrolinx Score of 80 is required. The total score is an average of the subscores. Select Total score to review the Acrolinx scorecard for your article. Try to increase your individual scores, for example: Correctness. Your content will be clearer and more consistent.
|
Acrolinx scoreA minimum Acrolinx Score of 80 is required. The total score is an average of the subscores. Select Total score to review the Acrolinx scorecard for your article. Try to increase your individual scores, for example: Correctness. Your content will be clearer and more consistent.
|
Acrolinx scoreA minimum Acrolinx Score of 80 is required. The total score is an average of the subscores. Select Total score to review the Acrolinx scorecard for your article. Try to increase your individual scores, for example: Correctness. Your content will be clearer and more consistent.
|
Acrolinx scoreA minimum Acrolinx Score of 80 is required. The total score is an average of the subscores. Select Total score to review the Acrolinx scorecard for your article. Try to increase your individual scores, for example: Correctness. Your content will be clearer and more consistent.
|
Acrolinx scoreA minimum Acrolinx Score of 80 is required. The total score is an average of the subscores. Select Total score to review the Acrolinx scorecard for your article. Try to increase your individual scores, for example: Correctness. Your content will be clearer and more consistent.
|
Acrolinx scoreA minimum Acrolinx Score of 80 is required. The total score is an average of the subscores. Select Total score to review the Acrolinx scorecard for your article. Try to increase your individual scores, for example: Correctness. Your content will be clearer and more consistent.
|
Acrolinx scoreA minimum Acrolinx Score of 80 is required. The total score is an average of the subscores. Select Total score to review the Acrolinx scorecard for your article. Try to increase your individual scores, for example: Correctness. Your content will be clearer and more consistent.
|
Acrolinx scoreA minimum Acrolinx Score of 80 is required. The total score is an average of the subscores. Select Total score to review the Acrolinx scorecard for your article. Try to increase your individual scores, for example: Correctness. Your content will be clearer and more consistent.
|
Acrolinx scoreA minimum Acrolinx Score of 80 is required. The total score is an average of the subscores. Select Total score to review the Acrolinx scorecard for your article. Try to increase your individual scores, for example: Correctness. Your content will be clearer and more consistent.
|
Acrolinx scoreA minimum Acrolinx Score of 80 is required. The total score is an average of the subscores. Select Total score to review the Acrolinx scorecard for your article. Try to increase your individual scores, for example: Correctness. Your content will be clearer and more consistent.
|
| * Auth0 Enterprise subscription and an admin account | ||
| * Auth0 [Command Line Interface](https://auth0.github.io/auth0-cli/)(CLI) permission | ||
| * The [Auth0 Organizations](https://auth0.com/docs/manage-users/organizations) feature is enabled |
There was a problem hiding this comment.
Either swap 24 and 25 or merge 25 with 23 since it's all about Auth0 tenant expectation.
| **Note**: Before you run the command, replace `$AUTH0\_DOMAIN` with your Auth0 tenant's domain. For example, `your-tenant.us.auth0.com`. | ||
|
|
||
| ```bash | ||
| auth0 login --domain $AUTH0_DOMAIN --scopes update:tenant_settings --scopes create:client_grants |
There was a problem hiding this comment.
Need to change to
auth0 login --domain $AUTH0_DOMAIN --scopes update:tenant_settings --scopes create:client_grants --scopes create:client_credentials --scopes update:client_credentials
|
|
||
| ## Step 2: Create a resource server in Auth0 | ||
|
|
||
| The resource server refers to Okta's Express Configuration API. When you authorize Okta for this resource server using OAuth 2.0, Okta receives an access token and uses it to access user and organization information. It securely invokes your Auth0 tenant's Management API to create and update [Okta Workforce connections](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/okta). |
There was a problem hiding this comment.
It securely invokes your Auth0 tenant's Management API to create and update Okta Workforce connections.
This is for step Assign Client Credentials to the Okta OIN Integration Client
|
|
||
| **Notes**: | ||
|
|
||
| * The `client_metadata` parameter stores custom metadata for the app. |
There was a problem hiding this comment.
Remove this line. Sort of redundant with line below.
|
|
||
| * The `client_metadata` parameter stores custom metadata for the app. | ||
| * The `express_configure_sp_client_id` value refers to the client ID of the app for which you’re enabling Express Configuration. | ||
| * The `is_express_configure_app` value indicates whether the Express Configuration is enabled in the app. These metadata values are used in the post-login action to validate the app's configuration and add custom claims to the issued tokens. |
There was a problem hiding this comment.
Remove is_express_configure_app since it is not required now.
| "organization_usage": "require", | ||
| "client_metadata": { | ||
| "express_configure_sp_client_id": "'$SERVICE_APP_CLIENT_ID'", | ||
| "is_express_configure_app": "true" |
There was a problem hiding this comment.
Delete this line. (then the , in previous line)
| * The `express_configure_sp_client_id` value refers to the client ID of the app for which you’re enabling Express Configuration. | ||
| * The `is_express_configure_app` value indicates whether the Express Configuration is enabled in the app. These metadata values are used in the post-login action to validate the app's configuration and add custom claims to the issued tokens. | ||
| * The `organization_usage` value ensures that users log in using an organization. Set this value to `true`, as it’s a prerequisite for Express Configuration. This setting ensures that Express Configuration functions within the context of an organization, which provides secure and structured access control. | ||
| * The `organization_require_behavior` value determines how the organization's login is handled. |
There was a problem hiding this comment.
We shall explain customer is free to choose other options.
- The
organization_require_behaviorfield dictates the organization login behavior. Choose the option that best works for you:pre_login_prompt: Prompts users to select or enter an organization before login.post_login_prompt: Prompts users to select or enter an organization after login.no_prompt: Does not prompt users for an organization, assuming it is already provided or not required.
|
|
||
| [Create a custom post-login action](https://auth0.github.io/auth0-cli/auth0_actions_create.html) to add custom claims (`sp_client_id)` to the access token that Auth0 issues after a user successfully logs in. These claims provide Okta with the necessary information for the Express Configuration process. | ||
|
|
||
| Create a file named `add_post_login_action.js` and add the following action: |
There was a problem hiding this comment.
following action -> following code
| Follow these steps to verify and test the Express Configuration feature: | ||
|
|
||
| 1. Sign in to your [Okta Developer Edition org](/login/) as a user with either the super admin (`SUPER_ADMIN`) role, or the app (`APP_ADMIN`) and org (`ORG_ADMIN`) admin [roles](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles). | ||
| 1. Go to **Applications** > **Your OIN Integrations** in the Admin Console. |
There was a problem hiding this comment.
It's Application -> Applications
| 1. Open your app's detail page and click **Add Integration**. | ||
| 1. In **General Settings**, click **Done** to create an instance of your OIN app. | ||
| 1. Go to the **Authentication** tab. | ||
| 1. Click **Configure SSO with OIDC** and complete the authorization flow. |
There was a problem hiding this comment.
complete the authorization flow.
From user perspective, click the button will trigger authorize flow after which it'll perform Express Configure.
| </div> | ||
|
|
||
| 8. Assign a test Okta user to this app instance. | ||
| 9. Sign in to your Okta Developer Edition org using this test user and click your app tab. |
There was a problem hiding this comment.
Feel like we dont need to say and click your app tab. since after login user, user lands on enduser dashboard by default.
| 10. Verify that the user is successfully signed in to your app. | ||
|
|
||
| **Note**: | ||
| When users use Express Configuration to set up SSO for an instance of your app in Okta, the following default configurations are applied to the newly created Okta Workforce Connection in Auth0. Users can’t modify these configurations: |
There was a problem hiding this comment.
Users can’t modify these configurations:
This is not true. We dont need to mention it.
| **Login Experience** | ||
|
|
||
| * **Home Realm Discovery**: Empty (not supported) | ||
|
|
||
| * **Connection Button** | ||
| * **Display connection as a button**: Disabled (Enabled through **Organizations**) | ||
| * **Button Display Name**: Okta | ||
| * **Button Logo URL**: `https://cdn.brandfolder.io/R30ALRIS/at/scvv8tj7w545j3r5gmxq4jrb/Okta_Aura_Logomark_Black_RGB.png` (Okta brand logo) | ||
|
|
||
| **Organizations** | ||
|
|
||
| * **Membership On Authentication**: Enable **Auto-Membership** | ||
| * **Display Connection as a button**: Enabled in login experience customization |
There was a problem hiding this comment.
Login Exp and Org are all part of Connection settings. The structure shall look like
- Connection settings
- scopes
- user mapping
- connection profile
- login experience
- HRD
- Org
- Member..
- Display as button
|
|
||
| # Express Configuration | ||
|
|
||
| Express Configuration lets enterprise customers quickly add an instance of Auth0-enabled OIDC apps published in the Okta Integration Network (OIN) catalog to their Okta org. This process uses automated data sharing between Okta and Auth0, reducing manual steps and minimizing errors when sharing configuration information. |
There was a problem hiding this comment.
add an instance of -> setup an instance of
|
|
||
| [Authenticate with the Auth0 CLI](https://auth0.github.io/auth0-cli/auth0_login.html) to establish a connection between your app environment and your Auth0 tenant. The specified scopes (`update:tenant_settings` and `create:client_grants`) provide the CLI permissions to modify tenant-wide settings and create client grants, which are essential for the subsequent configuration steps. | ||
|
|
||
| **Note**: Before you run the command, replace `$AUTH0\_DOMAIN` with your Auth0 tenant's domain. For example, `your-tenant.us.auth0.com`. |
|
|
||
| ## Step 1: Authenticate with Auth0 CLI | ||
|
|
||
| [Authenticate with the Auth0 CLI](https://auth0.github.io/auth0-cli/auth0_login.html) to establish a connection between your app environment and your Auth0 tenant. The specified scopes (`update:tenant_settings` and `create:client_grants`) provide the CLI permissions to modify tenant-wide settings and create client grants, which are essential for the subsequent configuration steps. |
There was a problem hiding this comment.
Add create:client_credentials and update:client_credentials to this list
|
|
||
| ### Add post-login action | ||
|
|
||
| [Create a custom post-login action](https://auth0.github.io/auth0-cli/auth0_actions_create.html) to add custom claims (`sp_client_id)` to the access token that Auth0 issues after a user successfully logs in. These claims provide Okta with the necessary information for the Express Configuration process. |
There was a problem hiding this comment.
We are adding 3 custom claims in the action code. So either we can ignore to mention the claim name in this text or include all 3 sp_client_id , management_api_audience, init_login_uri
| * The `is_express_configure_app` value indicates whether the Express Configuration is enabled in the app. These metadata values are used in the post-login action to validate the app's configuration and add custom claims to the issued tokens. | ||
| * The `organization_usage` value ensures that users log in using an organization. Set this value to `true`, as it’s a prerequisite for Express Configuration. This setting ensures that Express Configuration functions within the context of an organization, which provides secure and structured access control. | ||
| * The `organization_require_behavior` value determines how the organization's login is handled. | ||
| * Ensure that you note down the Okta OIN Integration Client ID after it’s created. You need to share this ID with the Okta Express Configuration team to configure your app in the OIN. |
There was a problem hiding this comment.
Also mention that to complete this step you need public key provided by Okta saved in a file named - okta-public-key.pem
|
|
||
| Run the following command to create a post-login action named `express_configure_postlogin_action` that is triggered after a user logs in. | ||
|
|
||
| **Note**: Replace the `SERVICE_INIT_LOGIN_URL` parameter value with the URL that end users use to log in to your app. For example, `https://example.com/login`. |
There was a problem hiding this comment.
and replace AUTH0_DOMAIN with your tenant domain
| }' | ||
| ``` | ||
|
|
||
| ## Step 6: Update tenant settings |
There was a problem hiding this comment.
Can we add that this is step is recommended but not required for express configuration ?
|
|
||
| 1. Confirmation that you completed all the steps in this guide and your app is ready to support Express Configuration. | ||
| 2. Your app name in the OIN. | ||
| 3. The OIN Integration Client ID. |
There was a problem hiding this comment.
Okta OIN Integration Client Application Client ID.
| 10. Verify that the user is successfully signed in to your app. | ||
|
|
||
| **Note**: | ||
| When users use Express Configuration to set up SSO for an instance of your app in Okta, the following default configurations are applied to the newly created Okta Workforce Connection in Auth0. Users can’t modify these configurations: |
Description:
Resolves: