Set up Okta as an OpenID Connect identity provider with this in-depth guide by our in-house experts. 

At Bobcares, we offer solutions for every query, big and small, as a part of our Server Management Service.

Let’s take a look at how our Support Team is ready to help customers with setting up Okta as an OpenID Connect identity provider.

How to set up Okta as an OpenID Connect identity provider

Here is a helpful guide to setting up Okta as an OIDC identity provider in an Amazon Cognito user pool. Our Support Techs recommend following these steps to get the job done:

• Create an Amazon Cognito user pool with an app client and domain name
• Sign up for an Okta developer account
• Create an Okta app
• Configure settings for the Okta app
• Add an OIDC IdP in the user pool
• Change app client settings for the user pool
• Map the email attribute to a user pool attribute
• Log in to test the setup

How to create an Amazon Cognito user pool with an app client and domain name

1. First, we have to create a user pool.
2. Then, we will create an app client in the user pool and add a domain name for the user pool.

How to sign up for an Okta developer account

1. Head to the Okta Developer signup webpage and enter the personal information and then select SIGN UP. Then, we will receive a verification email from the Okta Developer Team.
2. Next, we will choose ACTIVATE and finish creating the account.

How to create an Okta app

1. First, we have to open the Okta Developer console and expand Applications and select Applications.
2. Then, select Create App Integration and select OpenID Connect.
3. After that, we have to select Web Application then select Next.

How to configure settings for your Okta app

1. First, we will head to the New Web App Integration page, under General Settings, and enter a name for the app.
2. Next, check the Authorization Code check box is selected under Grant Type
3. Then, enter https://myUserPoolDomain/oauth2/idpresponse. for Sign-in redirect URLs.
4. After that, enter https://myUserPoolDomain/oauth2/idpresponse for Login redirect URIs under CONFIGURE OPENID CONNECT.
5. Next, we will select our preferred access setting in Controlled access and select Save.
6. Then, make a copy of the Client ID and Client secret from Client Credentials.
7. Select Sign On and note the IssuerURL in the Open ID Connect ID Token. We will require this URL while configuring Okta in the user pool.

How to add an OIDC IdP in the user pool

1. First, we have to head to Manage user pools in the Amazon Cognito console and select the user pool.
2. Then, select Identity providers under Federation in the left navigation pane.
3. Next, we will select OpenID Connect.
4. After that we have to enter the following information:
   • Provider name: Enter name for the IdP
   • Client ID: Paste the Client ID noted while configuring settings for your Okta app
   • Client secret: Paste the Client secret noted while configuring settings for your Okta app
   • Attributes request method: Leave it as GET
   • Authorize scope: Enter OIDC scope values that we want to authorize.
   • Issuer: Paste the Issuer URL noted while configuring settings for your Okta app
   • Identifiers: Enter a custom string to use in the endpoint URL instead of the OIDC IdP’s name
5. Next, select Run discovery and choose Create provider.

How to change app client settings for your user pool

1. First, we have to head to Manage user pools in the Amazon Cognito console and select the user pool.
2. Then, we will select App client settings under App integration in the left navigation pane.
3. Next, enter the following information on the app client page:
   • Enabled Identity Providers: Select the OIDC provider check box for the IdP we created earlier
   • Callback URL(s): Enter a URL where we want to redirect our users to after they log in
   • Sign out URL(s): Enter a URL where we want to redirect our users to after they log out
   • Allowed OAuth Flows: Choose the flows corresponding to the grant types that we prefer the application receive after authentication from Cognito
   • Allowed OAuth Scopes: Select the email and openid checkboxes
4. Select Save changes.

How to map the email attribute to a user pool attribute

Our Support Engineers recommend mapping the email attribute to a user pool attribute if we authorize the email OIDC scope value.

1. First, we have to head to Manage user pools in the Amazon Cognito console and select the user pool.
2. Then, we will select Attribute mapping under Federation in the left navigation pane.
3. Next, choose OIDC tab on the attribute mapping page.
4. In case we have more than a single OIDC provider in the user pool, we have to select the new provider from the drop-down list.
5. After that, ensure the OIDC attribute sub is mapped to the user pool attribute Username.
6. Then, select Add OIDC attribute and enter the following information:
   • OIDC attribute: Enter email
   • User pool attribute: Select Email

How to log in to test your setup

In order to test the setup, first, we have to log in successfully. Then we will be redirected to the app client’s callback URL. At this point, we will see the authorization code or user pool tokens in the URL of the web browser’s address bar. According to our Support Engineers, this indicates we have set up Okta successfully.

[Looking for a solution to another query? We are just a click away.]

Conclusion

In essence, our skilled Support Engineers at Bobcares demonstrated how to set up Okta as an OpenID Connect identity provider.