OKTA - OpenID Connect Integration

MetaDefender ICAP Server has already tested and verified with following IDP for both SAML and OIDC integrations:

  • OKTA
  • AZure
  • One Login
  • Ping Identity

In this article, we selected OKTA (https://www.okta.com/) as a supported IDP to demonstrate OIDC and SAML integration with MetaDefender ICAP Server.

OpenID Connect Integration

Create a new application on the IDP site for MetaDefender ICAP Server

  1. Sign in Okta site Okta Developer
  1. Add an application, select “Web” application type, and choose “OpenID Connect” for Sign on method
  1. Make sure the newly created application is in ACTIVE list (e.g. Okta_OpenId)
  1. Access the newly created application (e.g. Okta_OpenId), navigate to the “General” tab, and create a new secret if not exist:
  1. On the MetaDefender ICAP Server management console, create a new user directory for SSO
  • Navigate to Settings > User Management
  • On “USER DIRECTORIES” tab, hit “ADD NEW USER DIRECTORY” button
  • Choose “OpenID Connect (OIDC)” option for “USER DIRECTORY TYPE”
  • Type the directory name of your choice
  • In “IDENTIFY PROVIDER” section, hit “FETCH” button to input IDP’s designated metadata API URL (e.g. Okta could be found at OpenID Connect & OAuth 2.0 API | Okta Developer )
  • When we successfully fetch, Scope default will be selected is OPENID
  1. In “SERVICE PROVIDER” section:
  • Fill up “Client ID” and “Client Secret” matched to what generated in the IDP console:
  • On MetaDefender ICAP Server management console current display, type your MetaDefender ICAP address in “HOST OR IP” field
  • and a login redirect URL will be auto-generated by MetaDefender ICAP, you will want to copy the full link to proceed
  • Switching to the Okta IDP console, paste the login redirect URL and also input the Initiate login URI
  1. In “SCOPE” field:
  • Able to select when fetching metadata above successfully.
  • OpenID is the default scope.
  • Select the scope that you will use claims in other fields ( USER IDENTIFIED BY and Role Mapping). Scope supported in Okta OpenID Connect & OAuth 2.0 API | Okta Developer
  1. In “USER IDENTIFIED BY” field:
  • Username can be constructed by claims under email scope
  • The claim variable is specified by syntax ${<claim-name>}

__ __

Notes: Supported claims under email scope are IDP specified. Please review the IDP document for more details.

For example: for OKTA (Identity, Claims, & Tokens – An OpenID Connect Primer, Part 1 of 3)

  • “USER IDENTIFIED BY” field: Username can be constructed by claims under profile scope.
  • The claim variable is specified by syntax ${<claim-name>}

Notes: Supported claims under profile scope are IDP specified. Please review the IDP document for more details.

For example, for OKTA (https://developer.okta.com/blog/2017/07/25/oidc-primer-part-1)
  • In “USER ROLE” section, choose the default role to map an existing MetaDefender ICAP Server local role:
  • Or create a custom role mapping based on RegEx:
  • Hit “ADD” button to finish creating a new SSO user directory, by default the newly created user directory is disabled:
  1. Result Sign on using IDP authentication
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
  Last updated on Oct 10, 2022
Next to read:
Logging
On This Page
OKTA - OpenID Connect IntegrationOpenID Connect IntegrationCreate a new application on the IDP site for MetaDefender ICAP Server