SSO Okta App Integration

Prerequisites

• Users are required to access to Cloud Defense Account

Step 1: SignUp with OKTA account

Before creating an APP in OKTA, first login to Cloud Defense. Inside the Integrations tab, go to SSO, click on OKTA and copy the redirect URL.

Step 2: Create App Integration with OKTA Account

Go to the applications page in OKTA, and click on Create App Integration.

Select Open-id connect as sign in method, and web application as Application

In General Settings, enter App name, select Grant type as Client credentials and Authorization code as Client acting on half of a user, enter the redirect url copied from Cloud defense application, and paste it in redirect URLs.

Select Controlled access value from Dropdown option.

Cope the client ID and secret of the APP

Paste Id and Secret in our application integration page inside OKTA

Sign in with your email ID with which you registered on OKTA

TROUBLESHOOTING STEPS:

1- Unexpected error while authenticating with identity provider and API is giving 502 bad gateway.

JIRA LINK - https://clouddefense.atlassian.net/browse/CD-187

Fix- Check the client id and client secret. Most probably the issue will be with credentials, if other IDPs are working. In case all IDPs are not working and showing the same issue, then we can probably look at ingress logs. https://stackoverflow.com/questions/42613491/azure-ad-webapp-behind-reverse-proxy-receives-502-bad-gateway

2- Invalid Username or Password

This error comes when we add the first login flow in identity provider settings as Linking Broker Flow. This error comes when we try to login with a new identity provider and email already exists with some other identity provider. In this case the below API fails and in the events we receive

IDENTITY_PROVIDER_FIRST_LOGIN_ERROR https://staging.clouddefenseai.com/auth/realms/cdefense/login-actions/first-broker-login?client_id=cdconsole&tab_id=o

The first step to debug this issue is to check the linking broker flow settings inside the authentication tab. Make sure if Create User If Unique and Automatically Set Existing User both are set to Alternative. Also check if both are added in the same order mentioned above.

3- Issues related to application redirecting to incorrect URLs

Make sure the correct frontend url is added in the realm settings as shown in screenshot 1. This is the frontend Url of our realm.

Also, in the clients section, select cdconsole and make sure Root URL, Valid Redirect URIs and Base URL are added correctly as mentioned in screenshot 2.

4- Sometimes on fresh setup, we get the below error in keycloak. ERROR: value too long for type character varying(255)

In order to fix this error, please update the type of value column in user_attribute table as text. This will solve this error.