need help setting OKTA as IDp

[FarhanaJabbar]

Hi,

I was trying to follow your instructions mentioned in https://github.com/KentorIT/authservices/blob/master/doc/IdentityServer3Okta.md to setup okta as IDp. The problem i am having is , how i should setup the the Identity server options as you have not provided any details for this here. var options = Helpers.GetIdentityServerOptions();

Could you please help as i am stuck here

Regards,

Farhana

[AndersAbel]

@dahlsailrunner is this anything you can answer?

[dahlsailrunner]

Hi Farhana -

This really comes down to your configuration and requirements for IdentityServer3. The steps in setting something very simple are here: https://identityserver.github.io/Documentation/docsv2/overview/simplestOAuth.html

The complete documentation for the options is here: https://identityserver.github.io/Documentation/docsv2/configuration/identityServerOptions.html

My code for setting these options (which may differ from your requirements) is here (and I'll add some comments to explain certain lines below):

public static IdentityServerOptions GetIdentityServerOptions()
        {
            var options = new IdentityServerOptions
            {
                IssuerUri = GetIssuerUri(),
                RequireSsl = true,
                SiteName = "My Custom Identity",
                EnableWelcomePage = true,
            };

            var factory = new IdentityServerServiceFactory()
                .UseInMemoryClients(Clients.Get())
                .UseInMemoryScopes(Scopes.Get());

            var efConfig = new EntityFrameworkServiceOptions {ConnectionString = "IdSvr3Config." + Config.Instance.EnvCd.ToLower() };
            factory.RegisterOperationalServices(efConfig);

            var userService = new NwpUserService();
            factory.UserService = new Registration<IUserService>(resolver => userService);
            factory.ViewService = new Registration<IViewService>(typeof (NwpViewService));
            //factory.CorsPolicyService = new Registration<ICorsPolicyService>(new DefaultCorsPolicyService { AllowAll = true });
            options.Factory = factory;

            options.SigningCertificate = GetSigningCertificate();

            return options;
        }

Peeling this back almost line by line:

• IssuerUri needs to be something like "https://youridserveraddress" - and for me that is different for each environment (dev, test, production) so I created a method to return it.
• RequireSsl = true -- I highly recommend setting this up even in development since EVERYTHING you do regarding SSO should be secure
• SiteName -- this is just a title and can be anything you want.
• the InMemory Clients and Scopes factories -- this is explained on the Id Server docs mentioned above -- it just means that you configure clients and scopes in code files within this project and read them at startup time. The examples are pretty good about explaining this.
• efConfig and RegisterOperationalServices -- totally unnecessary for testing. I'm doing this because it sets up persistent database stores for tokens and user consent choices, so those things are not lost if I restart the servers or deploy a new code build. The docs explain how to set this up (EntityFramework stuff).
• user service -- I'm using a custom user service because even with an authenticated external identity, I need to still look up the user in our system and determine their permissions and what they can access -- I'll get the username from the external Okta sign in, but then still need to see which accounts that username can access in MY system, which Okta won't be able to tell me. The custom user service documentation is pretty good: https://identityserver.github.io/Documentation/docsv2/advanced/userService.html
• view service: totally unnecessary to get started. The ONLY reason you would want to set this up is to replace the built-in views (e.g. login, etc) with your own html. The docs explain this and there is a sample you can review if desired.
• signing certificate: This is required and is used within identity server to "sign" the JWT's that get created during the sign in process. You basically need to read in the PFX of a certificate and use it as the value being assigned here (recommendation from Dominick - one of Id Svr authors - is NOT to use the site SSL cert. A simple self-signed cert is fine - and the sample applications provide code on hos this can be done.

The Identity Server samples are very helpful and can be found here: https://github.com/IdentityServer/IdentityServer3.Samples

Regards - Erik