OAuth

Error rendering macro 'pagetree' : could not load an entity: [com.atlassian.confluence.pages.AbstractHierarchical#53194183]

OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.

Using OAuth you can enable Single Sign Ons for the following portals:

Office 365

To enable Single Sign on for Office 365 from Apex, the following configuration should be done in Office 365 portal.

Web Application

Prerequisites

Prerequisites to be performed in Office 365

Log into Office 365 using https://apps.dev.microsoft.com/.
Figure: Office 365 Login Screen
Enter your Office 365 credentials and login to the portal. My Applications page is displayed.
Figure: My Applications page

Note
Under Converged Applications you can configure both Office 365 and Azure. Under Azure AD only Applications you can configure only Azure.

Click Add an app under Converged Applications. Register your application pop-up page is displayed.
Figure: Register your Application pop-up page
Specify a name for the application and click Create. The Application ID is displayed.
Figure: Office 365 Page
Note
The Application ID displayed here is the Client ID to be used in Apex application.
Click Generate New Password. A New password is generated and displayed in the Pop-up page. This is the only time the password is displayed. Store it securely.
Figure: New Password generated pop-up page
Note
The Password generated here is the Client Secret Key in Apex application.
Click Add Platform under the Platforms section. The Add Platform pop-up page is displayed.
Figure: Add Platform Pop-up page
On the Add Platform pop-up page, select Web.
Specify the Redirect URL. This URL is your Apex Web Application login URL. (Eg: https://baseurl/Apex_SAMLResponse.aspx).
Note
- The Redirect URL you provide here should be entered in the Redirect URL field in application.
- The Delegated Permissions (user.read) displayed in the Microsoft Graph Permissions section should be entered in the Scope field of application.
Figure: Microsoft Graph Permissions
Click SAVE after all the above actions are performed.
Figure: Office 365 page

Configure in Apex application

To Configure SSO for Office 365 from Apex, perform the following steps:

Navigate to Admin > Infrastructure > SSO Configuration.
The SSO Configuration page is displayed.
On the SSO Configuration page, select OAuth under the Authentication Type and click Add New on the right action panel.

Figure: SSO Configuration: OAuth_Office 365
Specify the required details and click Submit. For more details about the fields on the SSO Configuration page, see Field Description.

Field Description

The following table describes the fields on the SSO Configuration page:

Fields	Description
Domain	Select the domain name from the list. The OAuth based authentication will be configured for the selected domain. Note: This field is not visible for single domain users.
URL	Specify the Mobile Web Service URL. Example: https://baseurl/mobilews
Grant Type	Select the Grant Type as Authorization Code from the drop-down list.
Authorization URL	Specify the following Authorization URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token URL	Specify the following Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
Client ID	Specify the Client ID. This is the Application ID from Office 365 portal. Refer to Prerequisites section for more information about this field.
Client Secret Key	Specify the Client Secret Key. This is the Password generated from Office 365 portal. Refer to Prerequisites section for more information about this field.
User Information URL	Specify the following User Information URL: https://graph.microsoft.com/v1.0/me
Redirect URL	Specify the Redirect URL. This is the same URL you have specified in the Redirect URL field of Office 365 portal. Eg: https://baseurl/Apex_SAMLResponse.aspx
ACS URL	Specify the ACS URL.
Include ACS URL	If selected, the ACS URL is included.
Scope	Specify the Scope as user.read. This is from the Delegated Permissions section of Office 365 portal.
Response Attribute	Specify the Response Attribute as mail.
User Creation	Upon enabling this checkbox, the user is created if that user is not available in Apex database but wants to login into the application using OAuth authentication method.
Time Zone	Select the timezone from the drop-down list. The selected timezone will be assigned to the newly created user. Note This field is displayed only when the User Creation checkbox is enabled.
Template Name	Select the role template from the list. The selected role template will be assigned to the newly created user. Note This field is displayed only when the User Creation checkbox is enabled.
Logo	Upload a logo. The uploaded logo is displayed on the Login Screen. The logo image width should be less than 300px and height should be less than 48px. Supported Image formats are .gif, .jpeg, .jpg, .png, .bmp.

For Mobile

Prerequisites to be performed in Office 365

Log into Office 365 using https://apps.dev.microsoft.com/.
Figure: Office 365 Login Screen
Enter your Office 365 credentials and login to the portal. My Applications page is displayed.
Figure: My Applications page
Note
Under Converged Applications you can configure both Office 365 and Azure. Under Azure AD only Applications you can configure only Azure.
Click Add an app under Converged Applications. Register your application pop-up page is displayed.
Figure: Register your Application pop-up page
Specify a name for the application and click Create. The Application ID is displayed.
Figure: Office 365 Page
Note
The Application ID displayed here is the Client ID to be used in application.
Click Generate New Password. A New password is generated and displayed in the Pop-up page. This is the only time the password is displayed. Store it securely.
Figure: New Password generated pop-up page
Note
The Password generated here is the Client Secret Key in application.
Click Add Platform under the Platforms section. The Add Platform pop-up page is displayed.
Figure: Add Platform Pop-up page
On the Add Platform pop-up page, select Web.
Specify the Redirect URL. This URL is your Apex Web Application login URL. (Example: https://baseurl/Apex_Weblogin.aspx).
Note
- The Redirect URL you provide here should be entered in the Redirect URL field in the application.
- The Delegated Permissions (user.read) displayed in the Microsoft Graph Permissions section should be entered in the Scope field of the application.
Figure: Microsoft Graph Permissions section
Click SAVE after all the above actions are performed.
Figure: Office 365 page

Configuration in Apex Application

To Configure SSO for Office 365 from Apex, perform the following steps:

Select Admin > Infrastructure > SSO Configuration. The SSO Configuration page is displayed.
On the SSO Configuration page, select OAuth under the Authentication Type and click Add New on the Actions Panel.

Figure: SSO Configuration: OAuth_Office 365
Specify the required details and click Submit. For more details about the fields on the SSO Configuration page, see Field Description.

Field Description

The following table describes the fields on the SSO Configuration page:

Fields	Description
Domain	Select the domain name from the list. The OAuth based authentication will be configured for the selected domain. Note This field is not visible for single domain users.
URL	Specify the Mobile Web Service URL. Example: https://baseurl/mobilews
Grant Type	Select the Grant Type as Authorization Code from the drop-down list.
Authorization URL	Specify the following Authorization URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token URL	Specify the following Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
Client ID	Specify the Client ID. This is the Application ID from Office 365 portal. Refer to Prerequisites section for more information about this field.
Client Secret Key	Specify the Client Secret Key. This is the Password generated from Office 365 portal. Refer to Prerequisites section for more information about this field.
User Information URL	Specify the following User Information URL: https://graph.microsoft.com/v1.0/me
Redirect URL	Specify the Redirect URL. This is the same URL you have specified in the Redirect URL field of Office 365 portal. Eg: https://baseurl/Apex_SAMLResponse.aspx
ACS URL	Specify the ACS URL.
Include ACS URL	If selected, the ACS URL is included.
Scope	Specify the Scope as user.read. This is from the Delegated Permissions section of Office 365 portal.
Response Attribute	Specify the Response Attribute as mail.
User Creation	Upon enabling this checkbox, the user is created if that user is not available in Apex database but wants to login into the application using OAuth authentication method.
Time Zone	Select the time zone from the drop-down list. The selected time zone will be assigned to the newly created user. Note This field is displayed only when the User Creation checkbox is enabled.
Template Name	Select the role template from the list. The selected role template will be assigned to the newly created user. Note This field is displayed only when the User Creation checkbox is enabled.
Logo	Upload a logo. The uploaded logo is displayed on the Login Screen. The logo image width should be less than 300px and height should be less than 48px. Supported Image formats are .gif, .jpeg, .jpg, .png, .bmp.

Azure

To enable Single Sign on for Azure from Apex, the following configuration should be done in Azure portal.

Web Application

To Configure SSO for Azure from Apex, perform the following steps:

Select Admin > Infrastructure > SSO Configuration. The SSO Configuration page is displayed.
On the SSO Configuration page, select OAuth under the Authentication Type and click Add New on the Actions Panel.
Figure: SSO Configuration: OAuth_Azure
Specify the required details and click Submit. For more details about the fields on the SSO Configuration page.

Field Description

The following table describes the fields on the SSO Configuration page:

Fields	Description
Domain	Select the domain name from the list. The Azure OAuth based authentication will be configured for the selected domain. Note This field is not visible for single domain users.
URL	Specify the Mobile Web Service URL. Example: https://baseurl/mobilews
Grant Type	Select the Grant Type as Authorization Code from the drop-down list.
Authorization URL	Specify the following Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize
Access Token URL	Specify the following Access Token URL: https://graph.microsoft.com
Client ID	Specify the Client ID. This is the Application ID from Azure portal. Refer to Prerequisites section for more information about this field.
Client Secret Key	Specify the Client Secret Key. This is the Password generated from Azure portal. Refer to Prerequisites section for more information about this field.
User Information URL	Specify the following User Information URL: https://graph.microsoft.com/v1.0/me
Redirect URL	Specify the Redirect URL. This is the same URL you have specified in the Redirect URL field of Azure portal. Eg: https://baseurl/Apex_SAMLResponse.aspx
ACS URL	Specify the ACS URL.
Include ACS URL	If selected, the ACS URL is included.
Scope	Specify the Scope as user.read
Response Attribute	Specify the Response Attribute as userPrincipalName. Note When the Response Attribute field is configured as userPrincipleName and Azure is returning the username as an Email ID then you must configure the key <add key="ConfigureOAuthLoginType" value="W" /> in the Web.Config file.
User Creation	Upon enabling this checkbox, the user is created if that user is not available in Apex database but wants to login into the SummtAI application using Azure OAuth authentication method.
Time Zone	Select the time zone from the drop-down list. The selected time zone will be assigned to the newly created user. Note This field is displayed only when the User Creation checkbox is enabled.
Template Name	Select the role template from the list. The selected role template will be assigned to the newly created user. Note This field is displayed only when the User Creation checkbox is enabled.
Logo	Upload a logo. The uploaded logo is displayed on the Login Screen. The logo image width should be less than 300px and height should be less than 48px. Supported Image formats are .gif, .jpeg, .jpg, .png, .bmp.

For Mobile

Prerequisites

Prerequisites to be performed in Azure Portal:

Go to https://portal.azure.com. The login page is displayed.
Login to the application with valid Azure credentials.
On the menu, click Azure Active Directory, then click App Registrations.

Figure: Azure Active Directory Menu
Click New registration.
Figure: New Application Registration Menu
Specify the name and select supported account types. Click Register.
Figure: Registering Application
The application is Registered and displayed in the list. Click the newly created application.
Figure: Application Registration - OAuth Mobile
Note
The Application ID displayed here is the Client ID to be specified in Apex application.
Click Add a certificate or secret.
The Certificate & secrets screen is displayed.
Figure: Certificates & secrets
Click New client secret.Figure: Add a client secret
Enter the client secret description and expires time. Click Add.
Figure: Certificate & secret
Click Add a Redirect URL from Registered Application page.
The Platform configuration screen is displayed.
Figure: Authentication - Platform configuration
Click Add a Platform.
The Configure platforms section is displayed.
Figure: Authentication - Configure platforms
Click Web widget from Web application section.
Specify the redirect URLs from Configure Web screen and click Configure.
The URL must be Mobile App base Web Service URL should have the suffix /SSO/MobileSAMLResponse.aspx.
Figure: Configure Web

Figure: Authentication - Redirect URL
On completing all the configuration, the registered application screen is displayed with Application ID, Directory ID, Client credentials, and Redirect URL (web).

Figure: OAuth Mobile - Configuration.

Note
In the event of any alterations are found in the Azure application screenshots, you can refer the generic Azure register documentation link to access the updated information:
Link: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

Prerequisites to be performed in Office 365

Log into Office 365 using https://apps.dev.microsoft.com/.
Figure: Office 365 Login Screen
Enter your Office 365 credentials and login to the portal. My Applications page is displayed.

Figure: My Applications page

Note:

Under Converged Applications you can configure both Office 365 and Azure. Under Azure AD only Applications you can configure only Azure.

Click Add an app under Converged Applications. Register your application pop-up page is displayed.
Figure: Register your Application pop-up page
Specify a name for the application and click Create. The Application ID is displayed.
Figure: Office 365 Page

Note:

The Application ID displayed here is the Client ID to be used in application.

Click Generate New Password. A New password is generated and displayed in the Pop-up page. This is the only time the password is displayed. Store it securely.
Figure: New Password generated pop-up page

Note:

The Password generated here is the Client Secret Key in application.

Click Add Platform under the Platforms section. The Add Platform pop-up page is displayed.
Figure: Add Platform Pop-up page
On the Add Platform pop-up page, select Web.
Specify the Redirect URL. This URL is your Apex Web Application login URL. (Eg: https://baseurl/Apex_Weblogin.aspx).

Note

The Redirect URL you provide here should be entered in the Redirect URL field in application.
The Delegated Permissions (user.read) displayed in the Microsoft Graph Permissions section should be entered in the Scope field of application.

Figure: Microsoft Graph Permissions section

Click SAVE after all the above actions are performed.

Figure: Office 365 page

Configuration in application

To Configure SSO for Azure from Apex, perform the following steps:

Navigate to Admin > Infrastructure > SSO Configuration. The SSO Configuration page is displayed.
On the SSO Configuration page, select OAuth under the Authentication Type and click Add New on the Actions Panel.
Figure: OAuth Authentication Type
Specify the required details and click Submit. For more details about the fields on the SSO Configuration page, see Field Description.

Field Description

The following table describes the fields on the SSO Configuration page:

Fields	Description
Domain	Select the domain name from the list. The Azure OAuth based authentication will be configured for the selected domain. Note: This field is not visible for single domain users.
URL	Specify the Mobile Web Service URL. Example: https://baseurl/mobilews
Grant Type	Select the Grant Type as Authorization Code from the drop-down list.
Authorization URL	Specify the following Authorization URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize (If Configured from Office 365) https://login.microsoftonline.com/[tenant]/oauth2/v2.0/authorize (If Configured from Azure)
Access Token URL	Specify the following Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token (If Configured from Office 365) https://login.microsoftonline.com/[tenant]/oauth2/v2.0/token (If Configured from Azure)
Client ID	Specify the Client ID. This is the Application ID from Azure portal. Refer to Prerequisites section for more information about this field.
Client Secret Key	Specify the Client Secret Key. This is the Password generated from Azure portal. Refer to Prerequisites section for more information about this field.
User Information URL	Specify the following User Information URL: https://graph.microsoft.com/v1.0/me
Redirect URL	Specify the Redirect URL. This is the same URL you have specified in the Redirect URL field of Azure portal. Eg: https://baseurl/Apex_Weblogin.aspx
ACS URL	Specify the ACS URL.
Include ACS URL	If selected, the ACS URL is included.
Scope	Specify the Scope as user.read
Response Attribute	Specify the Response Attribute as userPrincipalName .
User Creation	Upon enabling this checkbox, the user is created if that user is not available in Apex database but wants to login into the application using Azure OAuth authentication method.
Time Zone	Select the time zone from the drop-down list. The selected time zone will be assigned to the newly created user. Note: This field is displayed only when the User Creation checkbox is enabled.
Template Name	Select the role template from the list. The selected role template will be assigned to the newly created user. Note: This field is displayed only when the User Creation checkbox is enabled.
Logo	Upload a logo. The uploaded logo is displayed on the Login Screen. The logo image width should be less than 300px and height should be less than 48px. Supported Image formats are .gif, .jpeg, .jpg, .png, .bmp.

Facebook

To enable Single Sign on for Facebook from Apex, the following configuration should be done in Facebook application:

For Web Application

Prerequisites to be performed in Facebook

Log into Facebook using https://developers.facebook.com/. Click Log In.
Figure: Login Page
The Facebook login page is displayed. Specify your User Name and Password and click Log In. If you do not have an account already, click Create New Account to Sign up.
Figure: Facebook Login Screen
On the top right corner, hover your mouse over My Apps, and then click Add a New App. Figure: Add a New App
Create a New App ID pop-up page is displayed. Specify a Display Name and Contact Email, and then click Create App ID.
Figure: Create App ID page
You are redirected to the Dashboard page. The App ID is displayed on the top left corner of the page. Click Show to view the App Secret.

Note:

- The App ID displayed here should be entered in the Client ID field of application.
- The Client Secret displayed here should be entered in the Client Secret Key field of application.

Figure: Dashboard page

Click Settings > Basic. Specify the required information in the fields. Select the Category as Utility & Productivity.
Figure: Settings page
Click Add Platform. The Select Platform pop-up page is displayed. Select Website.
Figure: Select Platform Page
Specify the Site URL and click Save Changes.
Figure: Basic Settings page
Click Advanced and Allow API Access to App Settings.
Figure: Advanced Settings Page
Click Save Changes.
Click App Review and make your app Public by clicking Yes.
Figure: App Review Page
Click Add Product and select Facebook Login.
Figure: Add Product
Under the Valid OAuth redirect URLs section, specify a Re-direct URL.
Figure: Redirect URL

Note:

The Redirect URL specified here should be entered in the Redirect URL field of application.

Configuration in application

To Configure SSO for Facebook from Apex, perform the following steps:

Select Admin > Infrastructure > SSO Configuration. The SSO Configuration page is displayed.
On the SSO Configuration page, select OAuth under the Authentication Type and click Add New on the Actions Panel.
Specify the required details and click Submit. For more details about the fields on the SSO Configuration page, see Field Description.

Field Description

The following table describes the fields on the SSO Configuration page:

Fields	Description
Domain	Select the domain name from the list. The Facebook OAuth based authentication will be configured for the selected domain. Note: This field is not visible for single domain users.
URL	Specify the Mobile Web Service URL. Example: https://baseurl/mobilews
Grant Type	Select the Grant Type as Authorization Code from the drop-down list.
Authorization URL	Specify the following Authorization URL: https://www.facebook.com/dialog/oauth
Access Token URL	Specify the following Access Token URL: https://graph.facebook.com/v2.9/oauth/access_token
Client ID	Specify the Client ID. This is the Application ID from Facebook portal. Refer to Prerequisites section for more information about this field.
Client Secret Key	Specify the Client Secret Key. This is the Password generated from Facebook portal. Refer to Prerequisites section for more information about this field.
User Information URL	Specify the following User Information URL: https://graph.facebook.com/v2.9/me?fields=id,name,email
Redirect URL	Specify the Redirect URL. This is the same URL you have specified in the Redirect URL field of Facebook portal. Eg: https://baseurl/Apex_SAMLResponse.aspx
ACS URL	Specify the ACS URL.
Include ACS URL	If selected, the ACS URL is included.
Scope	Specify the scope as email,public_profile
Response Attribute	Specify the Response Attribute as email.
User Creation	Upon enabling this checkbox, the user is created if that user is not available in Apex database but wants to login into the SummtAI application using Facebook OAuth authentication method.
Time Zone	Select the timezone from the drop-down list. The selected timezone will be assigned to the newly created user. Note: This field is displayed only when the User Creation checkbox is enabled.
Template Name	Select the role template from the list. The selected role template will be assigned to the newly created user. Note: This field is displayed only when the User Creation checkbox is enabled.
Logo	Upload a logo. The uploaded logo is displayed on the Login Screen. The logo image width should be less than 300px and height should be less than 48px. Supported Image formats are .gif, .jpeg, .jpg, .png, .bmp.

For Mobile

Prerequisites to be performed in Facebook

Log into Facebook using https://developers.facebook.com/. Click Log In.
Figure: Login Page
The Facebook login page is displayed. Specify your User Name and Password and click Log In. If you do not have an account already, click Create New Account to Sign up.
Figure: Facebook Login Screen
On the top right corner, hover your mouse over My Apps, and then click Add a New App.
Figure: Add a New App
Create a New App ID pop-up page is displayed. Specify a Display Name and Contact Email, and then click Create App ID.
Figure: Create App ID page
You are redirected to the Dashboard page. The App ID is displayed on the top left corner of the page. Click Show to view the App Secret.

Note:

The App ID displayed here should be entered in the Client ID field of application.
The Client Secret displayed here should be entered in the Client Secret Key field of application.

Figure: Dashboard page

Click Settings > Basic. Specify the required information in the fields. Select the Category as Utility & Productivity.

Figure: Settings page
Click Add Platform. The Select Platform pop-up page is displayed. Select Website.

Figure: Select Platform Page
Specify the Site URL and click Save Changes.

Figure: Basic Settings page
Click Advanced and Allow API Access to App Settings.

Figure: Advanced Settings Page
Click Save Changes.
Click App Review and make your app Public by clicking Yes.

Figure: App Review Page
Click Add Product and select Facebook Login.

Figure: Add Product
Under the Valid OAuth redirect URLs section, specify a Re-direct URL.

Figure: Redirect URL

Note:

The Redirect URL specified here should be entered in the Redirect URL field of application.

Configuration in application

To Configure SSO for Facebook from Apex, perform the following:

Select Admin > Infrastructure > SSO Configuration. The SSO Configuration page is displayed.
On the SSO Configuration page, select OAuth under the Authentication Type and click Add New on the Actions Panel.
Specify the required details and click Submit. For more details about the fields on the SSO Configuration page, see Field Description.

Field Description

The following table describes the fields on the SSO Configuration page:

Fields	Description
Domain	Select the domain name from the list. The Facebook OAuth based authentication will be configured for the selected domain. Note: This field is not visible for single domain users.
URL	Specify the Mobile Web Service URL. Example: https://baseurl/mobilews
Grant Type	Select the Grant Type as Authorization Code from the drop-down list.
Authorization URL	Specify the following Authorization URL: https://www.facebook.com/dialog/oauth
Access Token URL	Specify the following Access Token URL: https://graph.facebook.com/v2.9/oauth/access_token
Client ID	Specify the Client ID. This is the Application ID from Facebook portal. Refer to Prerequisites section for more information about this field.
Client Secret Key	Specify the Client Secret Key. This is the Password generated from Facebook portal. Refer to Prerequisites section for more information about this field.
User Information URL	Specify the following User Information URL: https://graph.facebook.com/v2.9/me?fields=id,name,email
Redirect URL	Specify the Redirect URL. This is the same URL you have specified in the Redirect URL field of Facebook portal. Eg: https://baseurl/Apex_SAMLResponse.aspx
ACS URL	Specify the ACS URL.
Include ACS URL	If selected, the ACS URL is included.
Scope	Specify the scope as email,public_profile
Response Attribute	Specify the Response Attribute as email.
User Creation	Upon enabling this checkbox, the user is created if that user is not available in Apex database but wants to login into the application using Facebook OAuth authentication method.
Time Zone	Select the timezone from the drop-down list. The selected timezone will be assigned to the newly created user. Note: This field is displayed only when the User Creation checkbox is enabled.
Template Name	Select the role template from the list. The selected role template will be assigned to the newly created user. Note: This field is displayed only when the User Creation checkbox is enabled.
Logo	Upload a logo. The uploaded logo is displayed on the Login Screen. The logo image width should be less than 300px and height should be less than 48px. Supported Image formats are .gif, .jpeg, .jpg, .png, .bmp.

Okta

To enable Single Sign on for Okta from Apex, the following configuration should be done in Okta portal.

For Web Application

Prerequisites to be performed in Okta Portal

Prerequisites to be performed in Okta Portal

Sign up in Okta portal using https://www.okta.com/developer/signup/.
Figure: Sign up
Click Get Started. Your login URL is displayed. Login to Okta using this URL. You will receive a confirmation mail. Set your password by clicking this link.
Figure: Okta URL
Specify your User Name and Password and click Sign In.
Figure: Okta Login page
On the top menu, select Security > API.
Figure: Security Menu
On the API page, click Authorization Servers.
Figure: API Page
On the Add Authorization Server pop-up page, Specify Name, Audience, and Description. For more information about these fields, refer https://developer.okta.com/authentication-guide/implementing-authentication/set-up-authz-server.html.
Figure: Add Authorization URL Pop-up page
Under the Settings section, the issuer field is displayed. Store this URL securely. Figure: Settings section

Note:

The Issuer URL displayed here should be entered in the Authorization URL, Access Token URL, and User Info URL fields of application.

Select Access Policies and click Add Policy. The Add Policy pop-up page is displayed.
Figure: Add Policies pop-up page
On the Add Policy pop-up page, specify the Name, and Description and click Create Policy.
Figure: Add Policy page.
On the Add New Access Policy page, create Add Rule.
Figure: Add New Access Policy Page
On the Add Rule pop-up page, specify the Rule Name and click Create Rule.
Figure: Add Rule Pop-up page
On the top menu, hover your mouse over Applications and select Applications.
Figure: Applications
On the Applications page, click Add Application and then click Create New App.
Figure: Add Application
On the Create New Application pop-up page, select the platform as Web and Sign On Method as OpenID Connect.
Figure: Create New App page
On the Create OpenID page, specify the Application Name and the Redirect URL.
Figure: Create OpenID page

Note:

The Redirect URL specified here should be entered in the Redirect URL field application.

On the General Settings Page, click Edit and select all the available options under Allowed grant types. The Client ID and Client Secret are displayed under Client Credentials section. Store them securely.

Figure: General Settings page

Note:

The Client ID and Client Secret displayed here should be entered in the Client Id and Client Secret Key fields of application.

You can add multiple People or Groups to the application under the Assignments section.

Figure: Add Assignment page

Configuration in application

To Configure SSO for Okta from Application, perform the following steps:

Navigate to Admin > Infrastructure > SSO Configuration. The SSO Configuration page is displayed.
On the SSO Configuration page, select OAuth under the Authentication Type and click Add New on the Actions Panel.
Specify the required details and click Submit. For more details about the fields on the SSO Configuration page, see Field Description.

Field Description

The following table describes the fields on the SSO Configuration page:

Fields	Description
Domain	Select the domain name from the list. The Facebook OAuth based authentication will be configured for the selected domain. Note: This field is not visible for single domain users.
URL	Specify the Mobile Web Service URL. Example: https://baseurl/mobilews
Grant Type	Select the Grant Type as Authorization Code from the drop-down list.
Authorization URL	Specify the following Authorization URL: urlfromoktaportal/v1/authorize
Access Token URL	Specify the following Access Token URL: urlfromoktaportal/v1/token
Client ID	Specify the Client ID. This is the Application ID from Okta portal. Refer to Prerequisites section for more information about this field.
Client Secret Key	Specify the Client Secret Key. This is the Password generated from Okta portal. Refer to Prerequisites section for more information about this field.
User Information URL	Specify the following User Information URL: urlfromoktaportal/userinfo
Redirect URL	Specify the Redirect URL. This is the same URL you have specified in the Redirect URL field of Okta portal. Eg: https://baseurl/Apex_SAMLResponse.aspx
ACS URL	Specify the ACS URL.
Include ACS URL	If selected, the ACS URL is included.
Scope	Specify the scope as openid email profile address phone offline_access
Response Attribute	Specify the Response Attribute as email.
User Creation	Upon enabling this checkbox, the user is created if that user is not available in Apex database but wants to login into the application using Okta authentication method.
Time Zone	Select the timezone from the drop-down list. The selected timezone will be assigned to the newly created user. Note: This field is displayed only when the User Creation checkbox is enabled.
Template Name	Select the role template from the list. The selected role template will be assigned to the newly created user. Note: This field is displayed only when the User Creation checkbox is enabled.
Logo	Upload a logo. The uploaded logo is displayed on the Login Screen. The logo image width should be less than 300px and height should be less than 48px. Supported Image formats are .gif, .jpeg, .jpg, .png, .bmp.

For Mobile

Prerequisites to be performed in Okta Portal

Prerequisites to be performed in Okta Portal

Sign up in Okta portal using https://www.okta.com/developer/signup/.

Figure: Sign up
Click Get Started. Your login URL is displayed. Login to Okta using this URL. You will receive a confirmation mail. Set your password by clicking this link.

Figure: Okta URL
Specify your User Name and Password and click Sign In.

Figure: Okta Login page
On the top menu, select Security > API.

Figure: Security Menu
On the API page, click Authorization Servers.

Figure: API Page
On the Add Authorization Server pop-up page, Specify Name, Audience, and Description. For more information about these fields, refer https://developer.okta.com/authentication-guide/implementing-authentication/set-up-authz-server.html.

Figure: Add Authorization URL Pop-up page
Under the Settings section, the issuer field is displayed. Store this URL securely.

Figure: Settings section

Note:

The Issuer URL displayed here should be entered in the Authorization URL, Access Token URL, and User Info URL fields of application.

Select Access Policies and click Add Policy. The Add Policy pop-up page is displayed.

Figure: Add Policies pop-up page
On the Add Policy pop-up page, specify the Name, and Description and click Create Policy.

Figure: Add Policy page.
On the Add New Access Policy page, create Add Rule.

Figure: Add New Access Policy Page
On the Add Rule pop-up page, specify the Rule Name and click Create Rule.

Figure: Add Rule Pop-up page
On the top menu, hover your mouse over Applications and select Applications.

Figure: Applications
On the Applications page, click Add Application and then click Create New App.

Figure: Add Application
On the Create New Application pop-up page, select the platform as Web and Sign On Method as OpenID Connect.

Figure: Create New App page
On the Create OpenID page, specify the Application Name and the Redirect URL.

Figure: Create OpenID page

Note:

The Redirect URL specified here should be entered in the Redirect URL field of application.

On the General Settings Page, click Edit and select all the available options under Allowed grant types. The Client ID and Client Secret are displayed under Client Credentials section. Store them securely.

Figure: General Settings page

Note:

The Client ID and Client Secret displayed here should be entered in the Client Id and Client Secret Key fields of application.

You can add multiple People or Groups to the application under the Assignments section.

Figure: Add Assignment page

Configuration in application

To Configure SSO for Okta from Apex, perform the following steps:

Select Admin > Basic > Infrastructure > SSO Configuration. The SSO Configuration page is displayed.
On the SSO Configuration page, select OAuth under the Authentication Type and click Add New on the Actions Panel.
Specify the required details and click Submit. For more details about the fields on the SSO Configuration page, see Field Description.

Field Description

The following table describes the fields on the SSO Configuration page:

Fields	Description
Domain	Select the domain name from the list. The Facebook OAuth based authentication will be configured for the selected domain. Note: This field is not visible for single domain users.
URL	Specify the Mobile Web Service URL. Example: https://baseurl/mobilews
Grant Type	Select the Grant Type as Implicit from the drop-down list.
Authorization URL	Specify the following Authorization URL: urlfromoktaportal/v1/authorize
Access Token URL	Specify the following Access Token URL: urlfromoktaportal/v1/token
Client ID	Specify the Client ID. This is the Application ID from Okta portal. Refer to Prerequisites section for more information about this field.
Client Secret Key	Specify the Client Secret Key. This is the Password generated from Okta portal. Refer to Prerequisites section for more information about this field.
User Information URL	Specify the following User Information URL: urlfromoktaportal/v1/userinfo
Redirect URL	Specify the Redirect URL. This is the same URL you have specified in the Redirect URL field of Okta portal. Eg: https://baseurl/Apex_Weblogin.aspx
ACS URL	Specify the ACS URL.
Include ACS URL	If selected, the ACS URL is included.
Scope	Specify the scope as openid email profile address phone offline_access
Response Attribute	Specify the Response Attribute as email.
User Creation	Upon enabling this checkbox, the user is created if that user is not available in Apex database but wants to login into the application using Okta authentication method.
Time Zone	Select the timezone from the drop-down list. The selected timezone will be assigned to the newly created user. Note: This field is displayed only when the User Creation checkbox is enabled.
Template Name	Select the role template from the list. The selected role template will be assigned to the newly created user. Note: This field is displayed only when the User Creation checkbox is enabled.
Logo	Upload a logo. The uploaded logo is displayed on the Login Screen. The logo image width should be less than 300px and height should be less than 48px. Supported Image formats are .gif, .jpeg, .jpg, .png, .bmp.

Ping Federate

To enable Single Sign on for Ping Federate from Apex, the following configuration should be done in Ping Federate portal.

Prerequisites to be performed in Ping Federate Portal

Login to Ping Federate server.
Figure: Login Screen
On the Server Configuration tab, click Server Settings.
Figure: Server Configuration
On the Server Settings page, configure the tabs as shown below:

System Administration

Figure: System Administration tab

System Info

Figure: System Info tab

Runtime Notifications

Figure: Runtime Notifications tab

Runtime Reporting

Figure: Runtime Reporting tab

Account Management

Figure: Account Management tab

Roles & Protocols

Make sure that Enable OAUTH 2.0 Authorization Server (AS) Role is selected.

Figure: Roles & Protocols tab

Federation Info

Figure: Federation Info tab

System Options

Figure: System Options tab

Metadata Signing

Figure: Metadata Signing tab

Metadata Lifetime

Figure: Metadata Lifetime tab

Summary

Figure: Summary tab

On the Server Configuration page, click Data Stores.
Figure: Data Stores
On the Manage Data Stores page, click Add New Data Store.
Figure: Manage Data Stores
On the Data Store page, configure the tabs as shown below:

Data Store Type

Select the Data Store Type as LDAP.

Figure: Data Store Type tab

LDAP Configuration

Provide your LDAP Credentials.

Figure: LDAP Configuration tab

Summary

Figure: Summary tab

On the Server Configuration page, click Active Directory Domains/Kerberos Realms.
On the Manage AD Domains/Kerberos Realms page, click Add Domain/Realm.
Figure: Add Domain/Realm

Note
To check the configuration, click Test Domain/Realm Connectivity. You should receive a Test Successful message if your configuration is correct.

On the Manage Domain/Realm page, Specify the Domain Name, Username and Password.
Figure: Manage Domain/Realm page
On the Server Configuration page, click Password Credential Validators.
Figure: Password Credential Validators
On the Password Credential Validators page, click Create New Instance.
Figure: Create New Instance
On the Create Credential Validator Instance, configure the tabs as shown below:

Type

Figure: Type

Instance Configuration

Specify the Search Filter as (|(sAMAccountName=${username})(userPrincipalName=${username}))

Figure: Instance Configuration tab

Extended Contract

Add sAMAccountName and userPrincipalName under Extend the Contract.

Figure: Extended Contract tab

Summary

Figure: Summary

On the Identity Provider page, click Adapters.
Figure: Adapters
On the Manage IDP Adapter Instances page, click Create New Instance.
Figure: Manage IDP Adapter Instances
On the Create Adapter Instance page, configure the tabs as shown below:

Type

Select Type as HTML Form IdP Adapter.

Figure: Adapter Type

IDP Adapter

Select Password Credential Validator Instance as Password Validator and click Update under Action.

Figure: IDP Adapter

Extended Contract

Under Extend the Contract add domainusername and email.

Figure: Extended Contract

Adapter Attributes

Figure: Adapter Attributes

Adapter Contract Mapping

Figure: Adapter Contract Mapping

Summary

Figure: Summary

On the OAuth Server page, click Create New under Clients.
Figure: OAuth Server page
On the Client page, configure the tabs as shown below:
Figure: Client page

Note
Client ID: The Client ID you enter above should be entered in the Client ID field of application.
Client Secret: The Client Secret generated above should be entered in the Client Secret Key field of application.
Redirect URL: The Redirect URL you enter above should be entered in the Redirect URL field of application. Example: https://baseurl/Apex_Samlresponse.aspx for Web Application and https://baseurl/Apex_Weblogin.aspx for Mobile Application.

On the OAuth Server page, click Access Token Management under Token Mapping.
Figure: Access Token Management
On the Access Token Management page, click Create New Instance.
Figure: Create New Instance
On the Create Access Token Management Instance, configure the tabs as shown below:

Type

Select the Type as Internally Managed Reference Tokens.

Figure: Access Token Type

Instance Configuration

Figure: Instance Configuration

Session Validation

Figure: Session Validation

Access Token Attribute Contract

Under Extend the Contract, add domainusername, email, group, username.

Figure: Access Token Attribute Contract

Resource URLs

Figure: Resource URLs

Access Control

Figure: Access Control

Summary

Figure: Summary

On the OAuth Server page, click IDP Adapter Mapping.
Figure: IDP Adapter Mapping
On the IDP Adapter Mapping page, select HTML Form Adapter from the drop-down list and click Add Mapping. Click Save.

Figure: Add Mapping
The Summary page of IDP Adapter Mapping is displayed.
Figure: IDP Adapter Summary
On the OAuth Server page, click Access Token Mapping.
Figure: Access Token Mapping
On the Access Token Attribute Mapping page, select Context as HTML Form Adapter, Access Token Manager as actoken and click Add Mapping. Click Save.
Figure: Access Token Attribute Mapping
The Summary page of Access Token Attribute Mapping is displayed.
Figure: Summary
On the OAuth Server page, click Authorization Server Settings.

Figure: Authorization Server Settings
Configure the Authorization Server Settings page as shown below:
Figure: Authorization Server Settings
On the OAuth Server page, click Scope Management.
Figure: Scope Management
On the Common Scopes tab, add email under Scope Value.
Figure: Common Scopes
On the OAuth Server page, click OpenID Connect Policy Management.
Figure: OpenID Connect Policy Management
On the Policy Management page, click Add Policy.
Figure: Add Policy
On the Policy Management page, configure the tabs as shown below:

Prerequisites to be performed in Ping Federate Portal

Manage Policy

Figure: Manage Policy

Attribute Contract

Figure: Attribute Contract

Attribute Scopes

Figure: Attribute Scopes

Attribute Sources & User Lookup

Figure: Attribute Sources & User Lookup

Contract Fulfillment

Figure: Contract Fulfillment

Issuance Criteria

Figure: Issuance Criteria

Summary

Figure: Summary

Configuration in application

To Configure SSO for Ping Federate from Apex, perform the following steps:

Select Admin > Infrastructure > SSO Configuration. The SSO Configuration page is displayed.
On the SSO Configuration page, select OAuth under the Authentication Type and click Add New on the Actions Panel.
Specify the required details and click Submit. For more details about the fields on the SSO Configuration page, see Field Description.

Field Description

The following table describes the fields on the SSO Configuration page:

Fields	Description
Domain	Select the domain name from the list. The Facebook OAuth based authentication will be configured for the selected domain. Note: This field is not visible for single domain users.
URL	Specify the Web Service URL. Example: https://baseurl/Apexweblogin.aspx
Grant Type	Select the Grant Type as Authorization Code from the drop-down list.
Authorization URL	Specify the Authorization URL: Example: https://pingfederatebaseurl/as/authorization.oauth2
Access Token URL	Specify the Access Token URL: Example: https://pingfederatebaseurl/as/token.oauth2
Client ID	Specify the Client ID. This is the Client ID from Ping Federate Server. Refer to Prerequisites section for more information about this field.
Client Secret Key	Specify the Client Secret Key. This is the Client Secret generated from Ping Federate Server. Refer to Prerequisites section for more information about this field.
User Information URL	Specify User Information URL Example: https://pingfederatebaseurl/idp/userinfo.openid
Redirect URL	Specify the Redirect URL. This is the same URL you have specified in the Redirect URL field of Ping Federate Server. For Web: Eg: https://baseurl/Apex_SAMLResponse.aspx For Mobile : Eg: https://baseurl/Apex_Weblogin.aspx
ACS URL	Specify the ACS URL.
Include ACS URL	If selected, the ACS URL is included.
Scope	Specify the Scope as openid email.
Response Attribute	Specify the Response Attribute as email.
User Creation	Upon enabling this checkbox, the user is created if that user is not available in Apex database but wants to login into the application using Okta authentication method.
Time Zone	Select the timezone from the drop-down list. The selected timezone will be assigned to the newly created user. Note: This field is displayed only when the User Creation checkbox is enabled.
Template Name	Select the role template from the list. The selected role template will be assigned to the newly created user. Note: This field is displayed only when the User Creation checkbox is enabled.
Logo	Upload a logo. The uploaded logo is displayed on the Login Screen. The logo image width should be less than 300px and height should be less than 48px. Supported Image formats are .gif, .jpeg, .jpg, .png, .bmp.

Actions

This section explains all the icons displayed on the Actions panel of the SSO Configuration page.

SHOW LIST

Click SHOW LIST to display the LIST table showing all the SSO Configurations in the application for OAuth based authentications.

Filters

On the Filters pop-up page, select a domain name from the list and then click Submit. A list of OAuth based authentications configured for the selected domain is displayed.

Add New

Click Add New to configure a new OAuth based authentication for a domain.