Skip Navigation

Create an
Okta
app

Your
Okta
instance must have a connection to
Microsoft Active Directory
, and your users must be imported into
Okta
. For instructions see, ad-agent-main.htm
  1. Log in to the
    Okta
    administration console.
  2. Create a security token.
    1. Click
      Security
      >
      API
      >
      Tokens
      .
    2. Click
      Create Token
      .
    3. Copy the token.
  3. Generate JWKS keys.
    1. Click the
      EC
      tab.
    2. In the
      Curve
      drop-down list, select
      P-521
      .
    3. In the
      Algorithm
      drop-down list, select
      ES521: ECDSA using P-521 and SHA-512
      .
    4. In the
      Key ID
      drop-down list, select
      SHA-256
      .
    5. Copy the Public and Private Keypair, Keypair Set, and Public Key.
      In the Public and Private Keypair Set, you must remove the
      "d":
      attribute because it is a private key.
  4. In a command prompt, use a CURL request to register an OIDC app with
    Okta
    and update the following fields in the JSON. Creating this type of app is not currently supported in the
    Okta
    console.
    • Verify that the Authorization SSWS value is the token that you created in step 2.
    • Replace the jwks keys with the keys from step 3.
    • Verify that the "d;" attribute has been removed.
    Your entry should be similar to the following.
    curl --request POST 'https://
    <oktaDomain>
    .okta.com/api/v1/apps/' \ --header 'Authorization: SSWS <token>' \ --header 'Content-Type: application/json' \ --data-raw '{ "name": "oidc_client", "label": "BlackBerry Enterprise ID Client", "signOnMode": "OPENID_CONNECT", "credentials": { "oauthClient": { "token_endpoint_auth_method": "private_key_jwt" } }, "settings": { "oauthClient": { "redirect_uris": [ "https://idp.blackberry.com/idp/externalIdpCb" ], "response_types": [ "code" ], "grant_types": [ "authorization_code" ], "application_type": "native", "jwks": { "keys": [ { "kty": "EC", "alg": "P-521", "kid": "OJE1cjnUBHGXHtOiHc64gSO1xxNzhoe9sRorb2CCKgU", "x": "AV4Ljfyl2eCoP1oyO_U3047BTprKxuwlUm57p7FsQJFMtW 1Xks7j8IQe4H0S8tNpd21Q_2NcKiJg5gjWKs0H3Oh6", "y": "AIWYPJ-c1UWEWQXO4Zkl3TKCPxCiAqv7ju_vJsO0Jye7zC 1SzqAFbfIzCRRq_MJJJfmw2ZbfgtvHmG28avR1O287", "alg": "ES512" } ] } } } }'
    For information about the JSON specification, see .
  5. View your app in the
    Okta
    console and copy the
    Client ID
    .
  6. Assign the app to users. For instructions, see lcm-user-app-assign.htm.
  7. To set up
    Okta
    ID claims, go to
    Security
    >
    API
    >
    Authorization server
    and select your authorization server.
  8. On the
    Claims
    tab, click
    Add claims
    and add a claim with the following values:
    1. Name
      : object_guid
    2. Include in token type
      : ID Token, Always
    3. Value type
      : Expression
    4. Value
      : findDirectoryUser().externalId
  9. Click
    Create
    .