Configure Okta for use with empower®

1.1 Introduction

Using Okta as an Identity Provider (login mechanism and source of users and groups).

Feature Supported
User Login using Okta Check Mark
Synchronization of Users & Groups into empower® Check Mark
Ad-hoc provisioning of Users & Groups without Sync Check Mark
Synchronization of Additional Attributes (for empower® Docs/empower® Mails) Cross Mark

1.2 Configuration

Setting up Okta

For integrating Okta with empower® and synchronizing users and groups, two applications need to be configured in Okta. The application empower will be used to log in users. It will be a standard OpenID Connect web application. The application empower Directory Sync will be used to synchronize users and groups into the empower® Database.

Using the PowerShell Script File

While these applications can be set up manually, we recommend using the provided PowerShell file (register_empower_in_okta.ps1). Especially the Directory Sync application cannot be fully set up using the Web UI as a JSON Web Key Set needs to be generated. Furthermore, using the PowerShell script will generate a settings file which can then be imported into the empower® Backend Installer to automatically configure the Backend for use with Okta. Because the PowerShell script file needs to create the two applications, it needs to have the permissions in Okta to do so. This is only possible using an Okta API key created from an account with sufficient permissions to create and modify applications. The API key will only be used by the script file for setting up the applications. It will not be stored and can be deleted immediately afterwards. The script file can of course be inspected to validate that no operations other than the ones described below are performed. To create a token, select Security API in the Okta admin UI. Then, switch to the Token tab and click Create Token.

 

1.3 Installer Guide

  1. Unpack the Okta Registrator
  2. Start PowerShell in the unpacked folder
  3. Execute the script register_empower_in_okta.ps1
  4. Specify the Okta Domain, which can be found in the profile in Okta at the top right and must be copied into PowerShell
  5. Provide the API Token, which may need to be created in Okta under
    Security -> API -> Tokens -> copy and paste into PowerShell for confirmation
    okta_api_token.png
     
     
  6. If groups should be synced, confirm with Y in PowerShell and specify the public hostname, which can be found on the Backend Server in the following directory: %ProgramData%\empower\backend\empower\root\ShareSettings.json under the PublicEndpointHost section.
    If no groups should be synced, confirm with N in PowerShell. In this case, only the users defined in Okta for the application will be synced.

    Users are defined in Okta as follows:
    Directory -> People -> Select the Person, that should be added to the Applications
    okta_users.png
    Assign the Application to the Person
    okta_user_details.png
  7. The empower_okta_configuration file is generated in the execution folder
  8. Make sure to that the Read-only Administrator role needs to be granted to empower Directory Sync App
    image-20250317-130255.png
  9. Next, start the empower® Backend Installer, that was provided by our support by double clicking the BackendSetup.exe on the empower® Backend and select Okta as the directory.

    okta_config_without_content.png
  10. For the Import Button, the empower_okta_configuration file from the execution folder must be selected so that all fields are filled.
    okta_config.png
  11. To finish, simply click through the Backend Installer using Next.
  12. Make sure you securely store the file empower_okta_configuration as well as send the file to the empower® support. 

Was this article helpful?

/

Comments

0 comments

Article is closed for comments.