USER MANUALS

Okta Configuration

To configure Okta as the Identity Provider for Agora we use the OpenID Connect (OIDC) protocol, configuring Okta as follows:

  1. Log into Okta as an administrator.

  2. Go to Applications > Create App Integration.

  3. Select OIDC as the protocol, and Web Application.

  4. Configure a new application for Agora and note the ClientID and Secret generated as these are required for use when configuring the Idp in Agora (please see the Okta documentation regarding creating custom app integrations, for more information).

  5. Go to Security > API, select the Authorization Server you will use for Agora and open the Claims tab.

  6. The sub claim for the access_token must be the same as for id_token for Agora. In order to do this, override the sub claim for the access_token with the following expression:

    none(user != null) ? user.id: app.clientId

  7. In addition, add the email claim to the access_token using the expression:

    user.profile.email
    Token claims configuration for Okta

  8. In Agora, navigate to the Organization Admin Panel and select the Idp menu item. Complete the configuration of the IdP using the Fetch and Fill option, entering the Okta OpenID Connect Discovery endpoint in the discovery endpoint url field. The issuer url can be found in the Security > API section of Okta, within the details of the Authorization Server used for Agora. The Okta OpenID Discovery endpoint follows the pattern:

    https://<issuer-url>/.well-known/openid-configuration

    Agora discovery endpoint URL

  9. Once all the IdP’s details are configured in Agora, enter email as the name of the claim that holds the user’s login details in the Token claim with the user’s login field.

  10. Enter the ClientID and Secret generated when creating the Okta application.

  11. Save the IdP configuration in Agora, this will generate two redirect URIs.

    Generated redirect URIs

  12. Copy both redirect URIs, and in Okta navigate to Applications > Applications and select the application that was created for Agora. Under the General tab, navigate to the General Settings section and click Edit. Enter the first redirect URI copied from Agora, as a Sign-in and the second as a Sign-out redirect URIs, saving the changes.

    Okta configuration, redirect URIs

  13. Finally, logout completely of Agora to complete the Identity Provider configuration.

Important

You must restart the Execution Plane after any Identity Provider configuration change. Please see the Restart a Cluster section of the Solution Manager Administration Guide.

Add feedback