Okta Portal SSO
Use Okta as Identity Provider to login to Halo portal using SSO.
Prerequisites
- Okta authorization server configured for Halo (see Okta Authorization Server)
Register your app in Okta
Create app integration
- Login to Okta Admin Console → Navigate to
Applications->Applications. - Click Create App Integration → Choose OIDC - OpenID Connect.
- Click Single-Page Application.
Configure app integration
- Configure the following settings:
- App integration name: e.g.
Glasswall Halo Portal - Grant type: Choose below 3 options
- Authorization Code
- Refresh Token
- Implicit (hybrid)
- Sign-in redirect URIs: e.g.
https://<your-halo-domain>/authentication/login-callback - Sign-out redirect URIs: e.g.
https://<your-halo-domain>/authentication/logout-callback - Controlled access: Choose
Allow everyone in your organization to access. Or select only specific groups if you want to limit the access to few people. - Unselect
Enable immediate access with Federation Broker Mode.
- App integration name: e.g.
Save application and note client ID
-
Save the Application and note the
Client ID.export PORTAL_CLIENT_ID=""
Grant API scopes
- Navigate to
Okta API Scopestab in the application and grant below scopes.okta.myAccount.email.readokta.myAccount.profile.readokta.users.readokta.users.read.self
Note issuer URI and audience
-
From the authorization server configured in the prerequisite step, note the
Issuer Metadata URIandVALID_AUDIENCE:export OKTA_ISSUER_URI="https://<your-okta-domain>/oauth2/<authorization-server-id>"
export OKTA_ORIGIN="https://<your-okta-domain>"
export VALID_AUDIENCE="api://halo"
Add access policy for portal
- Navigate to the authorization server's
Access Policiestab (Security->API-> select your authorization server ->Access Policies). - Add a new access policy:
- Name: e.g.
Portal SSO Access - Description: e.g.
Access policy for Halo Portal SSO users - Assign to: the Portal SPA client created above (search by name
Glasswall Halo Portal)
- Name: e.g.
- Add a rule:
- Name: e.g.
Allow Portal Users - Grant type:
Authorization Code - User is a member of:
Everyone(or restrict to a specific group, e.g.,Halo-Admin, if you want to limit Portal access) - Leave other settings as defaults or adjust as needed.
- Name: e.g.
Update Portal service
export HALO_DOMAIN=<your-halo-domain>
helm upgrade --install cdrplatform-portal cdrplatform-portal -n cdrplatform --reuse-values \
--set configuration.AutoAdmin=false \
--set configuration.BackendScope="email openid profile" \
--set configuration.BackendUrl="https://${HALO_DOMAIN:?}" \
--set configuration.EnabledPages="SystemSettings\,PolicySettings\,IcapSettings\,IcapRequests\,IcapReporting" \
--set configuration.OIDC.ProviderOptions.Authority="${OKTA_ISSUER_URI:?}" \
--set configuration.OIDC.ProviderOptions.ClientId="${PORTAL_CLIENT_ID:?}" \
--set configuration.OIDC.ProviderOptions.PostLogoutRedirectUri="https://${HALO_DOMAIN:?}/authentication/logout-callback" \
--set configuration.OIDC.ProviderOptions.RedirectUri="https://${HALO_DOMAIN:?}/authentication/login-callback" \
--set appenvironment.HTTP_CSP_CONNECT_SRC="'self' ${OKTA_ORIGIN:?}" \
--set appenvironment.HTTP_CSP_FRAME_SRC="'self' ${OKTA_ORIGIN:?}" \
--set appenvironment.HTTP_CSP_FRAME_ANCESTORS="'self' ${OKTA_ORIGIN:?}" \
--set ingress.enabled=true \
--set ingress.tls.domain="${HALO_DOMAIN:?}" \
--set ingress.tls.enabled=true \
--atomic
Update Portal-Access service
helm upgrade --install cdrplatform-portal-access -n cdrplatform cdrplatform-portal-access --reuse-values \
--set configuration.Authentication__Schemes__Bearer__Authority="${OKTA_ISSUER_URI:?}" \
--set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${VALID_AUDIENCE:?}" \
--set configuration.Authentication__Schemes__Bearer__ValidIssuer="${OKTA_ISSUER_URI:?}" \
--set configuration.AuthenticationScheme="Bearer" \
--set configuration.CORSDOMAIN="'*'" \
--set ingress.enabled=true \
--set ingress.tls.domain="${HALO_DOMAIN:?}" \
--set ingress.tls.enabled=true \
--atomic
Provide access to users
There are 2 roles in Halo - User and Admin. Roles are configured via group membership on the Okta authorization server (see Define Roles).
- To provide user role, add the user to the
Halo_Usergroup. - To provide admin role, add the user to the
Halo_Admingroup.