Create an Okta app
Okta
appYour
Okta
instance must have a connection to Microsoft Active
Directory
, and your users must be imported into Okta
. For instructions see, ad-agent-main.htm- Log in to theOktaadministration console.
- Create a security token.
- ClickSecurity>API>Tokens.
- ClickCreate Token.
- Copy the token.
- Generate JWKS keys.
- Go to https://mkjwk.org.
- Click theECtab.
- In theCurvedrop-down list, selectP-521.
- In theAlgorithmdrop-down list, selectES512: ECDSA using P-521 and SHA-512.
- In theKey IDdrop-down list, selectSHA-256.
- Copy the Public and Private Keypair, Keypair Set, and Public Key.In the Public and Private Keypair Set, you must remove the"d":attribute because it is a private key.
- In a command prompt, use a CURL request to register an OIDC app withOktaand update the following fields in the JSON. Creating this type of app is not currently supported in theOktaconsole.
- Verify that the Authorization SSWS value is the token that you created in step 2.
- Replace the jwks keys with the keys from step 3.
- Verify that the "d;" attribute has been removed.
Your entry should be similar to the following.curl --request POST 'https://<oktaDomain>.okta.com/api/v1/apps/' \ --header 'Authorization: SSWS <token>' \ --header 'Content-Type: application/json' \ --data-raw '{ "name": "oidc_client", "label": "BlackBerry Enterprise ID Client", "signOnMode": "OPENID_CONNECT", "credentials": { "oauthClient": { "token_endpoint_auth_method": "private_key_jwt" } }, "settings": { "oauthClient": { "redirect_uris": [ "https://idp.blackberry.com/idp/externalIdpCb" ], "response_types": [ "code" ], "grant_types": [ "authorization_code" ], "application_type": "native", "jwks": { "keys": [ { "kty": "EC", "crv": "P-521", "kid": "OJE1cjnUBHGXHtOiHc64gSO1xxNzhoe9sRorb2CCKgU", "x": "AV4Ljfyl2eCoP1oyO_U3047BTprKxuwlUm57p7FsQJFMtW 1Xks7j8IQe4H0S8tNpd21Q_2NcKiJg5gjWKs0H3Oh6", "y": "AIWYPJ-c1UWEWQXO4Zkl3TKCPxCiAqv7ju_vJsO0Jye7zC 1SzqAFbfIzCRRq_MJJJfmw2ZbfgtvHmG28avR1O287", "alg": "ES512" } ] } } } }' - View your app in theOktaconsole and copy theClient ID.
- Assign the app to users. For instructions, see lcm-user-app-assign.htm.
- To set upOktaID claims, go toSecurity>API>Authorization serverand select your authorization server.
- On theClaimstab, clickAdd claimsand add a claim with the following values:
- Name: object_guid
- Include in token type: ID Token, Always
- Value type: Expression
- Value: findDirectoryUser().externalId
- ClickCreate.