These instructions detail how to setup Okta with user synchronization. There are two other options with Okta which support JIT (Just-In-Time) configuration which require the OAuth Authenticator or SAML Authenticator. The JIT requires jus the Selector Application below. The authenticator requires both applications.
These instructions assume:
- The address to access the system is
oauth.demo.busby.local
which can either be a single host or a loadbalancer- Selector is running at
https://oauth.demo.busby.local
(Using default SSL port 443)- Config Editor is running at
https://oauth.demo.busby.local:8443
(Using default SSL Port 8443)- Busby Admin is running at
https://oauth.demo.busby.local:9443
(Using default SSL Port 9443)- The user group is called
Busby Users
If using syncronisation you will need to set up a group in your directory where all users and groups you want to allow access will be placed underneath. The sync will search for that group and find all members and transitive members of groups assigned to that group. In our case we will use one called Busby Users
To create the OAuth Application in Entra go to the App registrations
blade in your Entra ID Admin and select Register an application
Choose a name for the application and choose who is able to login.
We can also supply a Redirect URI here. These will be the application url appended with /oauth-redirect
. The example shows selector. You will be able to add the other urls later once the app has been registered.
We will need the Application (client) ID when we register the application in Busby, that is avaialble in the Overview page of the application.
Next we need to add a secret for the api access and to request the tokens for user access.
Copy the secrt value as this will be needed when we register the application in Busby.
Next add the other redirect URIs for the other applications (Config Editor and Busby Admin)
To enable synchronization the application needs some permissions added
Note that although these are the permissions required for the application to work the only groups that are accessed are Users and Groups which are a member of the specific Busby group (Busby Users
) in this case.
Under the API permissions blade choose Add a permission
Select Application and then search and tick the following permissions
Because these are application permissions Admin Conesent must be granted. From the API Permissions blade select Grand admin consent for Your Tenant Name.
To assign users and groups to the application you will need to go to the
Once the applications have been created in Okta it then needs to be added to the configuration.
From the created applications you will need: