Single Sign-On Configuration with Okta

Warning: These procedures should be completed by senior network administrators only. Completing it successfully requires knowledge of and access to Azure Active Directory for your environments.

Before configuring the Single Sign-On feature in Broadsign Ayuda, you must properly set up the Okta authorization service.

To configure Okta:

  1. Sign up in https://developer.okta.com/signup/.

    2. Note: The user name (Email) you create in Okta should be the same as the user name created in Splash.

    An email including the user name and a temporary password will be sent.

  2. Click Activate My Account in your email and use the authentication information to log in.
  3. Once logged in, access the Applications tab and click the Add Application button.
  4. In the next page, select Web .Net, Java… and click Next.

    5. This opens the Application Settings page.

  5. Enter the following information:
    • Name
    • Login redirect URIs
    • Logout redirect URIs

      • Use the same URIs from the following example and replace the domain name.

  6. Click Done.

    7. Client Credentials are generated, which will be used in Web App’s Okta configuration:

    Note: There should be just one active application at a time, so you might need multiple Okta accounts for more than one instance.

Once the Okta authorization service has been configured, you must configure and enable the Single Sign-On feature in Broadsign Ayuda.

To configure Broadsign Ayuda Admin:

  1. Log into Splash with administrator rights.
  2. Select Admin, then Authentication, and SSO.

    3. If the SSO tab is not available, you can also use the following URL:

    {DomainName}/config#/

    For example: https://okta.ayudalabs.com/config#/.

  3. Click Okta.
  4. Enter the following information:

    5. Parameter Description
    Base URL

    Copy the domain from your Okta page’s address bar and insert it in Base URL.

    It normally looks like: dev-{number}.okta.com.
    Splash/Juice Application

    Enable SSO for Splash/Juice.

    Use the Client ID and Client Secret in Step 6 of Configure Okta for the following:

    • The Client ID is given by Okta to the registered Splash/Juice app.
    • Randomly-generated value of the key created in Okta for Splash/Juice.
    Alto Application

    Enable SSO for Alto.

    Use the same Client ID and Client Secret in Step 6 of Configure Okta.

  5. Click Save Changes.

    6. If everything is configured properly, the configuration is saved without any error.

    You can then open Splash and log in Okta. You will be automatically be redirected to Splash.

    Note: For some specific situations like just after creating a new instance or restarting Web apps in Mamba/Azure portal, saving the Okta configuration might return an error only for the first attempt and will save it in the next attempts.

    Each time changes in configuration page is saved, make sure that the new AppSetting values are applied to the specific instance. You might need to restart the related Web Apps in Azure to apply the new AppSetting values.

See Also: