Logging in to Assets Server using single sign-on (SSO) via Okta is one of the ways of logging in to Assets Server using SSO.
This article describes how to implement Okta in Assets Server.
Note: The images and steps in this article are those from the Classic UI. When logged in to Okta with a developer account, the Admin UI is shown which differs in places from the Classic UI. It is advised to switch to the Classic UI to correctly follow the steps.
Before you start
Before you start, make sure that:
- The Assets Server environment in which Okta is implemented has a fully working Assets Server and fully working client applications.
Notes about setting up users and user groups in Assets Server:
- When using SAML and/or LDAP, disable it.
- You have access to Okta and you have sufficient access rights to configure Okta
- Okta is set up to your needs, for example by setting up additional security rules.
The implementation consists of the following steps:
- Setting up Okta
- Configuring Assets Server
- Testing the implementation
Info: Use the filter to only show information for one step.
1. Setting up Okta
In Okta, Assets Server needs to be set up as an application and linked to users or user groups.
Step 1. In Okta, navigate to Applications and click Add Application.
Step 2. Click Create New App and set the following options:
- Platform: Native app
- Sign on method: OpenID Connect
Step 3. Click Create and set the following options:
- Application name. A descriptive name for the app.
- Login redirect URIs. Enter the <base URL> + /openid/callback:
Note: The base URL is the exact URL for Assets Server as shown in the Web browser.
Step 4. Click Save.
You are returned to the previous screen.
Step 5. In the Client Credentials section, click Edit and set the following option:
- Client authentication: 'Use Client Authentication'
Step 6. Click Save.
Step 7. Copy the Client secret and paste it in a text file. It is needed later when configuring Assets Server.
Step 8. Scroll to the top of the page and click the Sign On tab.
Step 9. In the OpenID Connect ID section, click Edit and set the following option:
- Groups claim filter: Configure the filter to your needs.
Step 10. Click Save.
Step 11. Scroll to the top of the page and click the Assignments tab.
Here, the applications need to be tied to users or user groups.
Step 12. Search for users or groups and assign them to the application.
2. Configuring Assets Server
In Assets Server, a connection to the Assets Server application in Okta needs to be configured and users who are not part of a group should be prevented from logging in.
Step 1. In the Management Console, access the Single sign-on page.
Step 2. Select Okta as the provider and fill in all fields.
Step 3. While still in the Management Console, access the Server configuration > Cluster properties page, search for the following option and set it to true:
Note: Setting this option to true prevents users who are not part of a group from logging in. When this option is set to false, such users are able to log in which results in a blank page being shown and a license being taken up.
3. Testing the implementation
Test the implementation by logging in to Assets Server using the various applications:
- The Brand portal
- The Management Console
- Assets for InDesign
Test the scenario where the user is not yet logged in to Okta and where the user is already logged in to Okta. Follow the steps on screen.