Use the following steps to create an Okta OAuth App Integration for MVP One:

1.  In the Okta admin interface, navigate to Applications and select “Create App Integration”
   
   
   

   Click to Zoom
2. Select OIDC – OpenID Connect as the sign-in method.  Select Native Application as the application type.
   
   

   Click to Zoom
3. In the General Settings section, use the following settings:
   • App Integration Name: Set as desired
   • Logo (optional): Upload an image as desired
   • Grant type: Check the boxes for Authorization Code, SAML 2.0 Assertion, Token Exchange
   •  Sign-in redirect URIs: 
     Click Add URI, populate the new field with the value: 
     https://[site-name].mvpplant.com/v2/Login/LoginOAuth
     This value can be confirmed in MVP One by navigating to Administration> Settings> Company, and viewing the Website Redirect URI in the OAuth2 section (see screenshot below step 14).
   • Controlled access: Set as needed.  This document will cover the case of granting access to everyone in the organization.
     The Completed settings page should look like this:
     
     

     Click to Zoom
     
     
     

     Click to Zoom
4.  After saving the settings of the previous step, you will now be in the General tab of the new application settings.  Click Edit at the top right of the Client Credentials section. Set the Client Authentication radio button to Client secret, click save to generate the new secret.
5. Click the buttons to copy the Client ID and Client Secret for use later in the setup.
   
   

   Click to Zoom
6. Go to the Sign On tab of the application settings. Scroll down to the OpenID Connect ID Token section and click Edit at the top right.  Change Issuer to Okta URL.  Click Save, then copy the Okta URL for use later in the setup.
   
   

   Click to Zoom
7.  In the Okta menu, navigate to Security > API. Click Add Authorization Server
   
   

   Click to Zoom
8. Set the name and description as desired.  Set the Audience value to the Client ID obtained in step 5.
   
   

   Click to Zoom
9. You are now in the settings tab for the newly created authorization server.  Copy down the Metadata URI
   • Note: This URI will need to be modified for use in the MVP Plant integration.  Replace the text after the last / with openid-configuration
   • The modified link will look like this: https://[organization].okta.com/oauth2/[random-string]/.well-known/openid-configuration
     
     

     Click to Zoom
10. Go to the Access Policies tab of the authorization server.  Click Add Policy.
11. Set the name and description as desired.  Set the Assign to section as the following clients.  In the field that appears below, begin typing out the name of the newly created application and select it when it appears.  Click Create Policy.
    
    
    

    Click to Zoom
     
12. Click the Add rule button.  Use the following settings for the rule:
    • Rule Name: Set as desired
    • Grant type: Deselect Interaction Code, Implicit, Resource Owner Password, Device Authorization
    • Scopes requested: Select the radio button for the following scopes.
      • Begin typing out openid and select it once it appears...
      • Repeat the process with email. 
    • The completed settings should look like this:
      
      
      

      Click to Zoom
13. The integration should now be complete on Okta’s end.  Log into MVP Plant with an admin account. Select Administration and navigate to Settings> Company.
14. In the Authentication and OAuth2 sections, use the following settings:
    • Single Sign-On Authentication Type: OAuth (select from drop-down)
    • Instance URL: Okta URL from step 6
    • Client ID: Client ID from step 5
    • Scope: Leave blank
    • Client Secret: Client secret from step 5
      • Note: Client Secret field will turn blank after saving the settings
    • Claim to Username: email
    • Metadata URL: Modified URI from step 9
      
      

      Click to Zoom
15. Click Save at the top right of the window.  OAuth SSO settings should now be active

 

Testing the Integration

To test the integration, verify the user is assigned the newly created app in Okta.  Additionally, the user must have an account in MVP Plant whose username matches the email address associated with Okta.  The authentication type of the account must be set to OAuth Authentication.

 

 

 

 

The user can attempt SSO authentication directly from the MVP Plant login screen.  If their email matches a valid user account in MVP Plant, authentication should be successful.  In some cases, the user will be returned to the login screen after authenticating to Okta and will need to select Single Sign-On Login a second time to log in.

 

When logging out from MVP Plant, users will occasionally be redirected to an error message from Okta.  This is a known issue but should not affect the functionality of the integration.