Ctrlk
Tonic.ai

Okta configuration

To use Okta as your Fabricate single sign-on (SSO) provider, you first complete the following configuration in Okta.

Create the app integration

In the Okta Admin Console:

  1. Go to Applications -> Applications.

  2. Click Create App Integration.

  3. Choose OIDC - OpenID Connect.

  4. Choose Web Application.

  5. Click Next.

Configure the app integration as follows:

  • App integration name: Fabricate SSO

  • Grant type: Authorization Code

  • Sign-out redirect URIs:

    • https://fabricate.tonic.ai/

  • Assignments: Assign the users or groups that should be able to sign in to Fabricate.

Fabricate uses the server-side authorization code flow. Do not configure the app as a SPA or a native application.

Copy Okta values to use in Fabricate

Issuer URL

The Fabricate SSO configuration includes the Okta OIDC issuer URL.

When you create the URL, use the issuer that matches where you configure the groups claim. If the app uses the organization authorization server, but the group claim is configured on a custom authorization server, Fabricate does not receive the claim.

Okta organization authorization server

For the Okta org authorization server, use:

For example:

Custom authorization server

For an Okta custom authorization server, use:

For example, for Okta's default custom authorization server:

Client ID

The Client ID value for the Fabricate SSO configuration is the Okta app integration's Client ID.

To obtain the value:

  1. Open the app integration.

  2. On the General tab, find Client Credentials.

  3. Copy Client ID.

Client secret

The Client Secret value for the Fabricate SSO configuration is the Okta app integration's Client secret.

To obtain the value:

  1. Open the app integration.

  2. On the General tab, find Client Credentials.

  3. Copy Client secret.

Required token claims

Fabricate expects standard OIDC email verification from Okta:

  • email

  • email_verified

The email and email_verified claims are normally available when Fabricate requests the email scope.

Fabricate requests the following:

Note that Fabricate does not request the Okta groups scope. If a customer's Okta group claim only appears when the groups scope is requested, then unless Fabricate is updated to request that scope for that account, Fabricate does not receive it.

Add group names for Fabricate group synchronization

Fabricate can optionally synchronize a user's Fabricate account group memberships with group names that Okta sends when the user signs in. The user is then automatically added to the matching Fabricate account group.

Fabricate matches the values in the groups claim to Fabricate group names. The group name match is case-insensitive.

If a group does not already exist in Fabricate, and matches the group filter, then when Sync groups from SSO is enabled, Fabricate creates it automatically.

In Okta, you configure a claim that is named:

The claim value must be an array of group names. For example:

Fabricate reads groups from both the ID token and the UserInfo response.

To identify the groups to include in the claim, you can use either:

  • Okta organization authorization server

  • Custom authorization server

Okta organization authorization server

In the Okta Admin Console:

  1. Go to Applications -> Applications.

  2. Open the Fabricate OIDC app integration.

  3. Go to the Sign On tab.

  4. Find the OpenID Connect ID Token section.

  5. Click Edit.

  6. For Okta-sourced groups:

    1. In Group claim type, select Filter.

    2. In Group claims filter:

      • Claim name: groups

      • Filter: Matches regex

      • Value: a restrictive regular expression for the groups that Fabricate should see. For example, ^Fabricate.*

  7. For groups sourced outside of Okta, such as groups from AD or LDAP:

    1. In Group claim type, select Expression.

    2. In Group claims filter:

      • Claim Name: groups

      • Value: an Okta Expression Language group expression to return the group names.

  8. Click Save.

Custom authorization server

Use this option if you already use a custom Okta authorization server, or when you need more control over claim inclusion.

In the Okta Admin Console:

  1. Go to Security -> API.

  2. Open the authorization server that is used as Fabricate's issuer.

  3. Go to the Claims tab.

  4. Click Add Claim.

  5. Configure:

    • Name: groups

    • Include in token type: ID Token

    • When to include: Always

    • Value type: Groups

    • Filter: Matches regex

    • Value: A restrictive regular expression to identify the groups that Fabricate should see. For example, ^Fabricate.*

  6. Save the claim.

Using ID Token + Always is important because Fabricate does not request Okta's groups scope. If the claim is configured only to appear when requested by scope, Fabricate might not receive it.

To instead have the claim in UserInfo, make sure the claim:

  • Is available from the access token/UserInfo path. To do this, configure the claim to set Include in token type to Access Token/User Info.

  • Does not require a scope that Fabricate does not request.

Last updated

Was this helpful?