Info: Performing the steps described in this article requires direct server access. Depending upon how your system is hosted and the level of access you have to that system, coordination may be required with your Partner or WoodWing Support team. For a full overview of the steps that need to be done by WoodWing and how to request them, see WoodWing Cloud - Change management.
Logging in to Studio Server using single sign-on (SSO) via Okta is one of the ways of logging in to Studio Server using SSO.
This article describes how to implement Okta in Studio Server to act as the identity provider.
Before you start
Before you start, make sure that:
- You have access to Okta and you have sufficient access rights to configure Okta.
- Okta is set up to your needs, for example by setting up additional security rules.
- The Studio Server environment in which Okta is implemented has a fully working Studio Server and fully working client applications.
Notes about setting up users and user groups in Studio Server:
|
Implementation
The implementation consists of the following steps:
- Setting up Okta
- Configuring Studio Server
- Setting up client applications
- Testing the implementation
Info: Use the filter to only show information for one step. |
1. Setting up Okta
Note: The images and steps in this article are those from the Classic UI. When logged in to Okta with a developer account, the Admin UI is shown which differs in places from the Classic UI. It is advised to switch to the Classic UI to correctly follow the steps.
In Okta, Studio Server needs to be set up as an application and linked to users or user groups.
Step 1. In Okta, navigate to Applications and click Add Application.
Step 2. Click Create New App and set the following options:
- Platform: Native app
- Sign on method: OpenID Connect
Step 3. Click Create.
The Create OpenID Connect Integration screen appears.
Step 4. Set the following options:
- Application name. A descriptive name for the app.
- Login redirect URIs. Enter the <base URL> + /idpcallback.php:
Note: The base URL is the exact URL for Studio Server as shown in the Web browser.
Example: https://my-studio-server.com/Studio Server/idpcallback.php
Step 5. Click Save.
You are returned to the previous screen.
Step 6. In the Client Credentials section, click Edit and do the following:
- Copy the Client ID and client secret to a text file. They are needed later when configuring Studio Server.
- Set the following option:
- Client authentication: 'Use Client Authentication'
Step 7. Click Save.
Step 8. Scroll to the top of the page and click the Sign On tab.
Step 9. In the OpenID Connect ID section, click Edit and do the following:
- Copy the URL from the Issuer field to a text file. It is needed later when configuring Studio Server.
- Set the following option:
- Groups claim filter: Configure the filter to your needs.
Notes:
|
Step 10. Click Save.
Step 11. Scroll to the top of the page and click the Assignments tab.
Here, the applications need to be tied to users or user groups.
Step 12. Search for users or groups and assign them to the application.
2. Configuring Studio Server
In Studio Server, a connection to the application in Okta needs to be configured.
Add and configure the following settings in the config_overrule.php file:
define( 'OPENID_ISSUER_URL', '' );
define( 'OPENID_CLIENT_ID', '' );
define( 'OPENID_CLIENT_SECRET', '' );
- OPENID_ISSUER_URL. The main URL of your Okta account. Use the value that was copied in step 9 of setting up Okta.
Example: https://woodwing.okta.com
- OPENID_CLIENT_ID. The client ID as copied in step 6 of setting up Okta.
- OPENID_CLIENT_SECRET. The client secret as copied in step 6 of setting up Okta.
3. Setting up client applications
Set up the client applications as follows:
- Studio
- License configuration. Studio is available in two types, each with their own license: Studio Print and Studio Multichannel. When logging in using SSO, Studio uses the first license type that is configured in the config.js file. When only one license type is used, make sure that it is listed at the top or listed as the only license. When both license types are used, set up 2 separate instances of Studio, each with their own config.js configuration.
- Studio for InDesign and InCopy
- No additional setup is required.
4. Testing the implementation
Test the implementation by logging in to Studio Server using the various applications:
- The Studio Server Maintenance pages
- Studio
- Studio for InDesign and InCopy
Test the scenario where the user is not yet logged in to Okta and where the user is already logged in to Okta. Follow the steps on screen.
Mapping SSO users with Studio Server user accounts
Mapping an Okta user with the properties for a user in Studio Server is done through the 'OPENID_FIELD_MAPPING' setting in the config_overrule.php file.
The following Studio Server properties can be mapped:
- Name
- FullName
- EmailAddress
- Language
- TrackChangesColor
- Organization
- Location
Notes:
|
Comment
Do you have corrections or additional information about this article? Leave a comment! Do you have a question about what is described in this article? Please contact Support.
0 comments
Please sign in to leave a comment.