Configuring Okta for OIDC federation

Introduction

This guide provides instructions for setting up Single Sign-On between Okta and Bentley's Identity Management System (IMS), for your corporate users. 

This guide assumes that your Okta tenant is properly set up on a SSL /TLS endpoint using HTTPS, and that the authentication address is accessible by your corporate users. 

Create the application in Okta

• Open your Okta portal and login with administrative privileges.
• Select "Applications" from the Applications dropdown menu on the left navigation panel.
• Select "Create App Integration"

• Select "OpenID Connect (OIDC)" and "Web Application" as the application type:

• Click "Next"
• You may name the application as you'd like. We recommend "Bentley IMS".
• We will provide back the real redirect URI’s after we have configured the application on our side. For now, you can leave the default populated option. 
• Sign out redirect URI’s should be removed.

At the bottom of this page is the “Assignments” option. This is asking you who should be allowed to use the application. We recommend “Allow everyone in your organization to access”, however, there is also the option “Limit access to selected groups” if you’d prefer to control access to Bentley. 

Note: If you choose to allow all users, you will be prompted if you’d like to utilize federation broker mode. You may or may not turn this on, up to you. 

• Clicking "Save" from here will bring you to the completed application.
• In the “Client Credentials” box click “Edit” and check the box for “Require PKCE as additional verification”. 
• Copy the Client ID into a notepad. You’ll need to provide it to Bentley. 
• Just below is the Client Secret. You can click the clipboard option to the right of the eyeball to copy the secret. Save this as well, as you’ll need to provide it to Bentley. 

• Click "Save" to save the PKCE settings.
• We also need your Open ID Metadata document URL. This your Okta tenant ID + /.well-known/openid-configuration. For example, my DEV Okta tenant URL would be: https://dev-17638699.okta.com/.well-known/openid-configuration  
• Provide the Client ID, Secret, and the Open ID Metadata URL to Bentley to set up the application.
• Once Bentley has set up the application, redirect URI’s will be provided back to input. 

Configuring the Redirect URI's

• Once you’ve received the Redirect URI’s, make sure to go back to the application under the “General” tab. Edit the “General Settings” and insert the two provided URL’s. 

• This completes the set up for your Okta connection. Please let Bentley know if you have any questions regarding set up.

Optional:

• As a reminder, if you have opted to restrict the assignment of who may use the application, please remember to assign all of your Bentley users to the application.