Help with Okta setup

Mentat · April 5, 2022, 5:41pm

Product: PowerShell Universal
Version: 2.9.2

Hey PSU folks,

I have forms authentication setup and working fine, but my Security team wants me to upgrade to using Okta. Unfortunately I don’t have any expertise in things like Okta, ODIC, SAML, etc., but we do have an Okta expert on staff that I’m working with. Looking at OpenID Connect - PowerShell Universal it seems pretty simple. Our Okta admin creates the app, we add stuff to our appsettings.json, and restart PowerShell Universal service. But we can’t seem to get it working

Is there more to it? Do I also have to setup OpenID as an authentication method and disable forms authentication?

In the Okta config:

If the PSU Url is https://ud-dev.domain.com/*, then what should we enter for the Sign-in redirect URI?
The documentation does not state this, but our Okta admin is asking do we need to configure anything for the Initiate login URI?

Is the CallbackPath correct in my appsettings.json file? Anything off here?

  "Kestrel": {
    "Endpoints": {
      "HTTP": {
        "Url": "http://*:80"
      },
      "HTTPS": {
        "Url": "https://*:443",
        "Certificate": {
          "Subject": "*.<domain>.com",
          "Store": "My",
          "Location": "LocalMachine"
        }
      }
    },
	"RedirectToHttps": "true"
  },
	
	"ApplicationInsights": {
		"InstrumentationKey": "<key>"
	},

  "OIDC": {
    "Enabled": "true",
    "CallbackPath": "/authorization-code/callback",
    "ClientID": "<ID>",
    "ClientSecret": "<Secret>",
    "Resource": "",
    "Authority": "https://<domain>.okta.com",
    "ResponseType": "code",
    "SaveTokens": "true",
    "CorrelationCookieSameSite": "",
    "UseTokenLifetime": true,
    "Scope": "openid profile groups",
    "GetUserInfo": true
  }

Thanks in advance, as I’m not really sure where to go with it from here.
Rob

adam · April 5, 2022, 6:18pm

Your appsettings.json looks good.

The sign-in redirect URI should be this:

https://ud-dev.domain.com/authorization-code/callback

That’s formulated by concating the PSU URL with the CallbackPath:

"CallbackPath": "/authorization-code/callback",

I’m not aware of any configuration for the initiate login URI. The steps in the document were exactly what I took to get Okta working for me.

Mentat · April 5, 2022, 6:58pm

Thanks Adam! Confirmed the appsettings.json is not the issue.

What about the Sign-in redirect URI entered into Okta. The example shows http://localhost:8080/authorization-code/callback. I’m redirecting connections from http to https in appsettings.json, and netstat does not show the system listening on port 8080. What should my Sign-in redirect URI be in Okta? Should it use https, should there be a port listed? Perhaps https://ud-dev.domain.com:8080/authorization-code/callback ?

Mentat · April 5, 2022, 7:21pm

Ignore that last response…I’m a goofy goof. You gave me the answer, and I just didn’t read it correctly … LOL. I’m going to have my Okta guy update the Sign-in Redirect Uri in Okta and try again.

Thanks,

Mentat · April 5, 2022, 7:29pm

Our Okta admin made the change of the Sign-in Redirect URI as you stated, to https://ud-dev.domain.com/authorization-code/callback and now it’s working

Thanks again Adam!
HueDaPyn

Topic		Replies	Views
Trouble getting Okta and roles to work PowerShell Universal	1	162	November 30, 2022
Trying to get OIDC to work and failing PowerShell Universal	3	577	February 10, 2021
SAML2 and Azure AD PowerShell Universal	6	495	January 13, 2023
Unauthorized Access Page PowerShell Universal	2	282	October 29, 2021
SAML2 fails with IDp initiated login PowerShell Universal	1	598	September 20, 2022

Help with Okta setup

Related Topics