OKTA authentication via API

The following section outlines the configuration of SAFEQ Cloud integrated with OKTA through their API interfaces.

Requirements:

• It is necessary to generate API token in the OKTA administration UI. This API token will be used by SAFEQ Cloud server for authentication operations.

Creating an OKTA Token for integration

1. In the OKTA administration console, navigate to API > Tokens.
   

   

2. Click Create Token and enter a reference name for the token.
   

   

3. Copy the token for later use in SAFEQ Cloud.
   

   

Configure SAFEQ Cloud for OKTA authentication

1. In SAFEQ Cloud Web UI, add a new OKTA authentication provider in the authentication settings. Enter the following details:
   

   

   
   
   • Domains – The domain names of the server. It must match the domain part of the user name. For example, if the domain name of OKTA authentication provider is okta.domain.com, then the user added in Access Control should be user@okta.domain.com.
   • Priority – A number that determines the order in which authentication providers will be called until one succeeds. Higher-priority providers will be called first.
   • OKTA endpoint address – The address of the OKTA server prefixed with customer’s domain name. For example “customer-acme.okta.com” or “dev-xxx.oktapreview.com”
   • API token – The API token obtained from OKTA administrator.
   • MFA timeout, seconds – The maximum time in seconds the server will wait for multi-factor authentication to complete.
2. Now users and groups in OKTA are accessible for Access Control configuration.
3. When adding a new access control entry for an OKTA authentication provider, the users or the groups from Access Control must contain the same domain as the domain name defined for that OKTA authentication provider.

Specifying the correct domain name is especially important if using the Strict domain validation feature, as it is otherwise impossible to detect to which domain a user belongs.