Online Help | Web App

Configuring SSO authentication with Okta

Introduced in 2022.1

This article explains how to integrate Alloy Navigator with Okta for Single Sign-On, so your users can sign in to Alloy Navigator with their Okta credentials.

PREVIOUS STEP: Before you begin, see Managing single sign-on (SSO) providers for basic information and prerequisites.

Register Alloy Navigator in Okta

First, you need to create an integration for your Alloy Navigator apps in Okta so it can provide authentication and authorization services for Alloy Navigator users. See your Okta documentation on how to integrate OpenID Connect (OIDC) applications. For example, see Create OIDC app integrations using the App Integration Wizard (AIW).

You will need this information for creating OIDC app integration. Other parameters are set by default, you can change them as required.

Parameter Value

Sign-in method

OIDC (for OpenID Connect)
Application type

Alloy Navigator web apps (the Web App and Self Service Portal):

  • Web Application

Alloy Navigator mobile apps (Alloy Navigator and Alloy Inventory Scanner):

  • Native Application

You need to create two separate app integrations, one for Alloy Navigator web apps , and the other for Alloy Navigator mobile apps.

Sign-in redirect URIs

The sign-in redirect URI is the location where your Okta IdP sends the authentication response and ID token for sign-in requests.

Alloy Navigator web apps (the Web App and Self Service Portal):

  • [Web App URL]/signin-oidc
  • [SSP URL]/signin-oidc

    The Web App's and SSP's URLs must use HTTPS, not HTTP.

Alloy Navigator mobile apps (Alloy Navigator, Alloy Inventory Scanner, and Alloy Self-Service):

  • http://localhost:4000

Grant Type

Alloy Navigator web apps (the Web App and Self Service Portal):

  • Authorization Code (or Authorization Code Flow)

Alloy Navigator mobile apps (Alloy Navigator, Alloy Inventory Scanner, and Alloy Self-Service):

  • Refresh token

Note that a single app registration serves all your Alloy Navigator web apps, as shown in the screenshot below. Add a redirect URI for every Alloy Navigator web app instance you want to use SSO.

Configuring SSO for Alloy Navigator mobile applications requires creating a separate app registration (New Native App Integration), see the screenshot below.

Note the Client ID and Client secret values. You will use them later in the Alloy Navigator Settings App.

Create an SSO Provider record for Okta in Alloy Navigator

To store Okta metadata in Alloy Navigator, create an SSO Provider record using the Settings App. Here is what you will need. All these data are available in your Okta organization.

  • Okta Domain - your Okta domain (the Okta URL for your org);

  • Client ID - the OpenID Connect client ID provided by Okta;

  • Client Secret - the client secret for the Alloy Navigator app provided by Okta;

  • Full Name Claim - the claim where Okta stores user full names. Alloy Navigator needs that claim for creating Person records for self-registering Self Service Portal customers. The default value is name.

  • User Name Claim - the claim where Okta stores usernames (email addresses); those usernames must match usernames (email addresses) in Alloy Navigator accounts. The default value is preferred_username.

To add an SSO Provider record for Okta:

  1. In Alloy Navigator Settings, go to Accounts and Roles > SSO Providers and select New > Okta from the Module menu. The Okta dialog box opens.

  2. In the Name field, keep the default name or specify a different one. Alloy Navigator users will see that name in their sign-in dialog as Sign in with [Name].

  3. In the Okta Domain field, enter the Okta domain name for your org. It can look like companyname.okta.com. For details, see Find your Okta domain.

  4. In the Authority field, review the service endpoint URL path. Note that it must start with https://, because secured protocol is requited.

  5. Provide the credentials of your Alloy web apps from Okta:

    • Client ID - the unique identifier that Alloy apps will use when requesting an access token from Okta.

    • Client Secret - the secret string that the Alloy apps will use to prove its identity when requesting an access token from Okta.

  6. When users sign in, their user information from Okta becomes available to Alloy Navigator. By default, the claims that carry information about the user include the user's email address, name, and preferred username.

    Typically, you can keep the default values in the Full Name Claim and the User Name Claim fields.

  7. Click OK to save your record.

NEXT STEP: Step 3: Configure the Alloy Navigator apps to use SSO.