Solved

OpenID integration with Okta

  • 18 May 2021
  • 3 replies
  • 779 views
KurtBauer
Rank
Userlevel 4
Badge

We are starting to test the new 2021 OpenID Provider integration with Okta and are receiving an error after the user enters their credentials on their Okta page and is redirected back to Acumatica.  I have attached a screenshot for reference.

I found some help on this Okta page for setting up OpenID.  Does anyone know if this is the proper guide to follow?

Create an App at the Identity Provider | Okta Developer

Thanks,

Kurt Bauer

icon

Best answer by KurtBauer 13 July 2021, 21:36

View original
1 Attachment

3 replies

david.harris
Rank
Userlevel 4
Badge

Kurt,

Not promoting one over the other I found the how-to from ONELOGIN more comprehensive. 

What I did is setup a ONELOGIN using the following document then after setting this up I just followed the same concepts (different screens) and was able to get OKTA configured. 

 

https://developers.onelogin.com/openid-connect/connect-to-onelogin

https://help-2021r1.acumatica.com/(W(5))/Wiki/ShowWiki.aspx?pageid=900fcac3-dcca-4d54-b01a-62a09170be61

 

 

KurtBauer
Rank
Userlevel 4
Badge

David,

Thanks for the follow-up.  After working through a few support cases with Acumatica we have everything working for the client.  The client is tied to Okta since they use it for all of their other internal applications so we had to figure it out.

One item I’ll add if someone finds this in the future is the client had the previous Okta integration that was linked via the External Identities of the user record.  For the new OpenID integration each user would have needed to login using their OpenID login and then login using the Acumatica login and password to relink the accounts.  Unfortunately no one knows their Acumatica logins so after some digging I was able to build the following SQL script into a customization package we’ll run after the upgrade to populate the new OidcProviderUsers table with the proper information.  The data in the OidcProviderUsers table is specific to the claim type setup with OpenID so it could be slightly different in other implementations.

INSERT INTO OidcProviderUsers (CompanyID,UserID,ProviderID,UserIdentityClaimType,UserIdentityClaimValue)
SELECT UI.CompanyID, UI.UserID, P.ProviderID,'email' AS 'UserIdentityClaimType', UI.UserKey AS 'UserIdentityClaimValue'
FROM UserIdentity UI
	LEFT JOIN OidcProvider P ON P.CompanyID=UI.CompanyID
	LEFT JOIN OidcProviderUsers PU ON PU.CompanyID=P.CompanyID
		AND PU.ProviderID=P.ProviderID
		AND PU.UserID=UI.UserID
WHERE UI.CompanyID > 1 AND UI.ProviderName='Okta' AND UI.Active=1
	AND P.Active=1 AND PU.UserIdentityClaimValue IS NULL

 

J
Rank

David,  I’ve got OneLogin w/ OpenID setup now so thank you!  I did have a question though. How are you passing the email?  Right now it errors out and says to login with form first. Once you do login with the form it ties the account but ideally we could pass the email as a parameter to the tenant right off the bat to do the matching.  

 

Josh 

Reply


Terms & ConditionsCookie settings
About Acumatica ERP system
Acumatica Cloud ERP provides the best business management solution for transforming your company to thrive in the new digital economy. Built on a future-proof platform with open architecture for rapid integrations, scalability, and ease of use, Acumatica delivers unparalleled value to small and midmarket organizations. Connected Business. Delivered.
© 2008 — 2024  Acumatica, Inc. All rights reserved