This guides walks though the setup for Single Sign On (SSO) in Cloud Control Center using Okta Identity.
Step 1 - Create Required User Groups in Okta
First we will create the required user groups in Okta - TenantAdmin and TenantUser. Navigate to Directory -> Groups and select Add group
We will create two groups, TenantAdmin and TenantUser. These user groups are used to authorize users in Cloud Control Center, so be sure that the Name syntax matches the images below exactly.
Now that our groups are created, we will be able to quickly assign them to our Application defined in Okta that we are going to create in the next step.
Step 2 - Create App Integration in Okta
Go to the Applications dashboard in Okta and click Create App Integration.
Note that the screenshots are created in Developer Edition and may vary from customer portals.
Next, Select OIDC - OpenID Connect option, select Web Application as your application, and click Next.
Give the application a name such as 'Elisity SSO'. Under Grant Type, click the check box for the Refresh Token option. Leave the redirect URLs as the default options for now; we will modify the sign-in redirect URI in a later step.
Under Assignments, Select Limit access to selected groups and choose the two user groups we created previously - TenantAdmin and TenantUser.
Click the Save button after all options have been submitted.
Step 3 - Modify Sign-In Redirect URI in Okta
After saving the application settings, open the application information and copy the Client ID and Client Secret into your notepad for later.
Scroll down to the application general settings, and click edit. Scroll down to the LOGIN section that contains the sign-in redirect URls.
Replace the existing Sign-In Redirect URI with the following URI:
https://<CCC-IP-or-FQDN>/api/v1/iam/login/oauth2/code/CR_<Application Client ID>
Replace <CCC-IP-or-FQDN> with the IP address or FQDN of your CCC instance
Replace <Application Client ID> with the client ID that we copied earlier.
Example: https://preview.elisity.io/api/v1/iam/login/oauth2/code/CR_0oa7d30b2cWt49cyb5d7
Click Save after appropriately modifying the URI.
Step 4 - Create an API Role in Okta
Expand the Security drop-down in the left pane, then click API (the last item in the list).
Copy Issuer URI value for required (usually 'default') Authorization Server into the notepad where we saved the Client ID and Client Secret for later use.
Edit the settings of the Default Authorization Server by clicking the name default on the left or by clicking the edit icon to the right.
Enter the following options for the new claim:
-
Enter 'UserRole' for Name
-
For Include in token type select ID token and Always
-
Select Groups for Value type
-
For Filter select Matches regex and .* as regex
-
For Include in select The following scopes option, then type 'openid'
Click Create
Step 5 - Setup Okta SSO in Cloud Control Center
Login to Cloud Control Center as an Administrator, and navigate to Administration -> Settings -> Security -> SSO Configuration. Select Okta, and enter the Client ID, Client Secret, and the Issuer ID that we saved in previous steps.
You should now be able to login to Cloud Control Center using SSO with Okta for users who match to the appropriate groups. Simply click 'Login with SSO' input user your credentials from Okta.