Sign in the MCW with Okta

<< Click to Display Table of Contents >>

Navigation:  Automation Service Management > Management Console Web > Sign in Management Console Web > Sign in using Identity Providers >

Sign in the MCW with Okta

Overview

The Management Console Web is a web-based application provided by Bizagi for customers to manage settings of testing or production environments.

For enhanced security, it is strongly recommended that customers rely on integrated authentication capabilities of the Management Console Web so that:

Authentication takes places at the customer’s Identity Manager service.

You can rely on role-based configuration at the customer’s Identity Manager service to only allow access to admin profiles.

 

This guide illustrates how to configure your Identity Manager service, more exactly using Okta as an example, with the Bizagi Management Console Web.

 

What you need to do?

The following outline of steps are carried out to integrate the Management Console Web with Okta.

 

1. Register the Management Console Web as an application in Okta

2. Request to Bizagi that integrated authentication is enabled

 

Before you start

Make sure you have an admin account in Okta to perform configuration.

Make sure you have also been provided by Bizagi with the complete URL of your environment’s Management Console Web.

Throughout this document, the URL of the Management Console Web will be referred to as [URL_MC].

 

Procedure

Follow these steps for each of the environments you have (testing, production).

 

1. Register the Management Console Web as an application in Okta

1.1 Log in to the Okta Admin console with an administrator account.

Select Applications in the group with the same name.

Click Add Application.

 

MCWOKTA_01

 

1.2 Click Create New App and enter the following information:

Platform: Web

Sign on method: OpenID Connect

 

MCWOKTA_02

 

Click Create.

 

1.3 Enter the following information at the Create OpenID Connect Integration:

Application name: Give a meaningful name for your application

Application logo: set the logo to display in the login page

Login redirect URIs: Use [URL_MCW]/public/api/auth/oauth/callback

Logout redirect URIs: Use [URL_MCW]/postLogout.html

 

MCWOKTA_03

 

Click Save.

 

1.4 Click the recently created Application to edit it.

 

MCWOKTA_04

 

In the General Tab, check Refresh Token option.

 

MCWOKTA_05

 

Click Save.

 

1.5 Scroll down to Client Credentials section and copy both Client ID and Client secret, this is an input for our support team to enable the Authentication with Okta. Use the Copy to clipboard option next to each field.

 

MCWOKTA_06

 

1.6 Go to Sign On tab, Go to OpenID Connect ID Token section and copy the Issuer URL.

This value is also required for our support team.

 

MCWOKTA_07

 

1.7 Go to Assignments tab and click Assign to People in the Assign drop-down.

 

MCWOKTA_08

 

Search the users available for this application and click Assign.

 

MCWOKTA_09

 

If required, fill the data related to the user and click Save and Go Back.

 

MCWOKTA_10

 

Repeat this step per each user you want to assign. When finish, click Done.

 

1.8 Add the attribute that grants the role of a MCW administrator.

This attribute is required for later steps during activation of integrated authentication with the Management Console Web.

 

Select Profile Editor in the Directory menu.

 

MCWOKTA_11

 

Select the profile for your application and click Profile.

 

MCWOKTA_12

 

Click Add Attribute.

 

MCWOKTA_13

 

Add the following values for the new attribute.

Data type: string

Display name: at your choice.

Variable name: at your choice.

Attribute required: true

 

MCWOKTA_14

 

Click Save.

 

1.9 Set the Role name for the users who have access to the Management Console Web.

Select People in the Directory Menu.

 

MCWOKTA_15

 

Find the user and click their name.

 

MCWOKTA_16

 

Click the pen icon to edit the Application Assignment of the given user.

 

MCWOKTA_17

 

In the attribute created before, set the role name you want to assign for the users with access to the Management Console Web.

 

MCWOKTA_18

 

Click Save.

 

At this point, you have configured the access of the Management Console so that it is integrated with Okta and only allows those explicitly-defined roles.

 

2. Request that integrated authentication is enabled

Request to Bizagi that integrated authentication is enabled for the Management Console.

Make sure within that request, you provide the following inputs:

Client ID and Client secret copied in step 1.5.

Issuer of the OpenID Connect ID Token get in step 1.6.

Role used to validate MCW administrators created in step 1.8 as custom attribute (specified as Claim name).

Value of the attribute created to validate MCW administrators in step 1.9 (specified as Claim value).

 

Testing access to the Management Console

Upon being notified by Bizagi that the integrated authentication has been enabled, proceed to test access.

You should be able to see that the login page presents a different look & feel (redirects to an Okta initial screen).

 

MCWOKTA_19

 

Upon verifying successful login, notice as well that the logout screen should also present (redirect to) an Okta screen:

 

MCWOKTA_20