Configuring Okta as an Identity Provider in Nirmata

Step-by-step guide to configure Okta as an Identity Provider using OpenID Connect

Prerequisites

  • Administrative access to your Okta organization account or Okta App Integration
  • Administrative access to Nirmata account

Configuration Steps

1. Create a New Application in Okta

  1. Log in to your Okta Admin Console.
  2. In the left sidebar, navigate to Applications > Applications.
  3. Click Create Application Integration.
  4. Select OIDC.
  5. Choose Web Application as the platform.
  6. Click Create.

2. Configure Application Settings

  1. In the application settings, fill in the following:
    • App integration name: (e.g., Nirmata app)
    • Application type: Web
    • Grant type configuration:
      • Under Grant type:
        • Check Client Credentials (under “Client acting on behalf of itself”).
        • Under Core grants, check Authorization Code. (Leave Refresh Token unchecked unless your use case requires it.)
        • Expand Advanced:
          • Leave all Okta direct auth API grants (OTP, OOB, MFA OTP, MFA OOB) unchecked.
          • Under Other grants, check Implicit (hybrid).
            • Check both Allow ID Token with implicit grant type and Allow Access Token with implicit grant type.
    • Login redirect URIs:
      • Sign-in redirect URIs https://<nirmata-domain>/security/api/oidc/callback/
    • Sign-out redirect URIs https://<nirmata-domain>/security/api/oidc/logout/

Click on Save

Navigate back to the Application created for the following configurations:

  • Proof Key for Code Exchange (PKCE): Uncheck (Require PKCE as additional verification)
  • Copy the Client ID and Client secret to configure in Nirmata

3. Navigate to Nirmata to Configure Okta OIDC

In Nirmata, go to the OIDC settings by Navigating to Identity and Access –> OIDC and enter the following details (as shown in your Okta app):

  • Name:
    Enter a descriptive name for this OIDC configuration (e.g., okta).

  • Client ID:
    Copy the Client ID from your Okta application.

  • Secret:
    Copy the Client Secret from your Okta application.

  • Discovery URI:
    Use the full OpenID Connect discovery endpoint from Okta, e.g.:
    https://<okta-domain>>/oauth2/default/.well-known/openid-configuration

  • Scopes:
    Enter: openid email profile

  • Groups Attribute Name:
    Leave blank unless you are mapping groups.

  • JWS Algorithm:
    Select or enter: RS256

After entering these values, click Save in Nirmata.

Note:

  • Ensure that the redirect URIs in Okta match those configured in Nirmata.
  • If you encounter errors, double-check that all values (especially Discovery URI and Client Secret) are correct and up to date.

Troubleshooting

Error: idx.error.code.no_matching_policy (Seen in Okta Admin Console)

  • Message: “You are not allowed to access this app. To request access, contact an admin.”
  • Solution:
    • In the Okta Admin Console, navigate to Security > API > Authorization Servers.
    • Select your authorization server (e.g., “default”).
    • Go to the Access Policies tab.
    • Click Add New Access Policy or edit an existing one.
    • Add a rule with the following settings:
      • Grant type: Enable Authorization Code and any other required grants.
      • User is: Any user assigned the app (or as per your requirements).
      • Scopes requested: Any scopes (or specify as needed).
      • Access token lifetime: Set as required (e.g., 1 hour).
      • Refresh token lifetime: Set as required (e.g., 90 days).
    • Save the rule.

Error: PKCE Code Verifier Required (Seen in Nirmata UI)

  • Message: “Sign in failed (400 - OIDC error: Bad token response, error=invalid_request, description=PKCE code verifier is required by the application.)”
  • Solution: In the Okta app’s General settings, uncheck Require PKCE as additional verification under Proof Key for Code Exchange (PKCE).

Error: No JWS Algorithm Supported (Seen in Nirmata UI)

  • Message: “Sign in failed (400 - OIDC error: There must at least one JWS algorithm supported on the OpenID Connect provider side).”
  • Solution: In your application’s OIDC configuration, use the full OpenID Connect Discovery URI from Okta (not just the OIDC endpoint). Example: https://admin-nirmata.okta.com/oauth2/default/.well-known/openid-configuration.