Okta OAuth Setup and Use

As of July 12, 2021, this "Learn Veracross" site has been deprecated.  It will remain live at least through October 1, 2021, but will no longer be updated. All knowledge content has moved to the new Veracross Community.  Please update your bookmarks. 

Here is the new version of this article in the Veracross Community.

Overview

You can now use Okta as a third-party authentication method when accessing Veracross through Axiom or Portals. Setting up and using Okta for authentication incurs no additional costs and is included in Core Foundation.

This can be configured and managed from the Identity & Access Management homepage and:

  • set up for individual users on their Person Account detail screens
  • created for multiple users in batch by security role

Configuring Okta and assigning it to user accounts can only be done by users with a SysAdmin security role.

Initial Okta Configuration

Prior to configuring Okta in Axiom, you first need to perform the following on the Okta App Integration configuration page. This page is not located in Veracross; it is located within Okta.

  1. Add the following URL to the "Sign-in redirect URIs" section:
      • https://accounts.veracross.com/auth/okta_oauth/callback
  2. Make sure you log in to Okta using the OIDC - "OpenID Connect" sign in method and set the Application type as the Web Application.
  3. Note the following information on the Okta App Integration configuration page, as you'll need it to configure Okta in Veracross:
    • Client ID
    • Client Secret
    • Organization
    • Domain

Once you have this information, you can begin configuring Okta in Axiom. Begin from the Identity & Access Management homepage.

  1. Click the Okta OAuth Application link in the External Identity Providers section of the center column.
  2. Populate the fields with the values you have from Okta.
    • Client ID = Client ID
    • Client Secret = Client Secret
    • Org = Organization
    • Domain = Domain
  3. Set the Status value as "Enabled".
  4. Click Update
    • At this point, Okta is now live in your database.

Setting Up Okta for Individual Users

Once Okta is configured, you can begin adding Okta to individual user accounts. This is done from each individual users' Person Account detail screen.

To enable Okta for a user, perform the following:

  1. Navigate to the user's Person Account record from "Find User Accounts" query on the Identity & Access Management homepage.
  2. On the General tab, click the "Add Record..." button to add a new External Account record.
  3. Set the following values:
    • Type = Okta OAuth
    • Username = whatever this person's username should be
    • Status = Enabled
  4. Click Update.
    • When logging into Veracross, this user is now prompted to use Okta.

Setting up Okta in Batch by Security Role

Instead of setting up Okta one user at a time, you can also set up Okta for all users sharing a specific security role. To do this, begin from the Identity & Access Management homepage.

  1. Click the Security Roles query in the Configuration section in the center column.
  2. Find the security role you want to enable Okta for and click the link in the Description column.
    • Prior to clicking the link, make sure you look at the value for the security role in the Primary Username Convention column and make sure that this is how you want the usernames to appear.
  3. On the Security Role detail screen, click the Action menu and run the "Create External Okta OAuth Accounts" procedure.
  4. Click the green "Create External Okta OAuth Accounts" button.
    • At this point, Okta has been enabled for all users with this security role. Their usernames are based on the Primary Username Convention in the Security Roles query.
  5. Repeat this process for any additional security roles you want to enable Okta for.