Skip to content

Setting up authentication with Okta

Ryan Newington edited this page Jul 7, 2018 · 5 revisions

The following guide will assist you in configuring your application to use Okta for authentication.

Part 1: Configure IIS

  1. Open IIS Manager, expand the Sites list, and select the Lithnet LAPS web site you created at installation time.
  2. In the app setting pane, click Authentication
  3. Ensure Anonymous authentication is enabled, and all other options are disabled.

Part 2: Configure a new application in Okta

  1. Log into to the Okta admin console with administrative credentials, select Applications then Applications
  2. Click Add application, then Create new app
  3. Select Web as the platform, and Open ID Connect as the sign on method
  4. Enter Lithnet LAPS or another suitable application name and optionally provide a logo
  5. For the login redirect URI, enter the base URL where your Lithnet LAPS Web app is hosted (eg https://laps.lithnet.local/)
  6. On the general settings page, click Edit
  7. Select the Implicit (Hybrid) click box under Client acting on behalf of user, and ensure Allow ID token with implicit grant type is selected. Click Save.
  8. Set the logout URL to your base URL, and append /Home/LogOut to the end of it (eg https://laps.lithnet.local/Home/LogOut)
  9. Copy the client ID value for use later. You do not need the client secret.
  10. Assign the appropriate users to the app
  11. Select Directory from the main menu bar, and select Profile editor. Find the Lithnet LAPS Web app in the list, and click the Profile button
  12. Click Add attribute and create a new attribute called upn, of data type string. Select both the attribute required and User personal check boxes
  13. Click the Map attributes button. Find the UPN value, and map it to the okta attribute that contains the Active Directory UPN (eg aduser.userPrincipalName)

Part 3: Configure the Lithnet LAPS web app

  1. Open the web.config file in the root of the application folder. Ensure no other owin:appStartup key is present
  2. Substitute the value for oidc:ClientId with the Client ID obtained in step 7 above
  3. Substitute the value for oidc:RedirectUri with the base URL of your application
  4. Substitute the value for oidc:Authority for the URL of your Okta tenant
<add key="owin:appStartup" value="Lithnet.Laps.Web.Startup.ConfigureOpenIDConnect" />
<add key="oidc:ClientId" value="0oaffr1ov5sl3NXff7h0" />
<add key="oidc:RedirectUri" value="https://laps.lithnet.local/" />
<add key="oidc:Authority" value="https://lithnet.okta.com" />

Part 4: Enable multi-factor authentication

For further security, you can modify your application sign-on policy to require multifactor authentication for the app

You can’t perform that action at this time.