We are starting to test the new 2021 OpenID Provider integration with Okta and are receiving an error after the user enters their credentials on their Okta page and is redirected back to Acumatica. I have attached a screenshot for reference.
I found some help on this Okta page for setting up OpenID. Does anyone know if this is the proper guide to follow?
Thanks for the follow-up. After working through a few support cases with Acumatica we have everything working for the client. The client is tied to Okta since they use it for all of their other internal applications so we had to figure it out.
One item I’ll add if someone finds this in the future is the client had the previous Okta integration that was linked via the External Identities of the user record. For the new OpenID integration each user would have needed to login using their OpenID login and then login using the Acumatica login and password to relink the accounts. Unfortunately no one knows their Acumatica logins so after some digging I was able to build the following SQL script into a customization package we’ll run after the upgrade to populate the new OidcProviderUsers table with the proper information. The data in the OidcProviderUsers table is specific to the claim type setup with OpenID so it could be slightly different in other implementations.
INSERTINTO OidcProviderUsers (CompanyID,UserID,ProviderID,UserIdentityClaimType,UserIdentityClaimValue)
SELECT UI.CompanyID, UI.UserID, P.ProviderID,'email'AS'UserIdentityClaimType', UI.UserKey AS'UserIdentityClaimValue'FROM UserIdentity UI
LEFTJOIN OidcProvider P ON P.CompanyID=UI.CompanyID
LEFTJOIN OidcProviderUsers PU ON PU.CompanyID=P.CompanyID
AND PU.ProviderID=P.ProviderID
AND PU.UserID=UI.UserID
WHERE UI.CompanyID > 1AND UI.ProviderName='Okta'AND UI.Active=1AND P.Active=1AND PU.UserIdentityClaimValue ISNULL
Not promoting one over the other I found the how-to from ONELOGIN more comprehensive.
What I did is setup a ONELOGIN using the following document then after setting this up I just followed the same concepts (different screens) and was able to get OKTA configured.
Thanks for the follow-up. After working through a few support cases with Acumatica we have everything working for the client. The client is tied to Okta since they use it for all of their other internal applications so we had to figure it out.
One item I’ll add if someone finds this in the future is the client had the previous Okta integration that was linked via the External Identities of the user record. For the new OpenID integration each user would have needed to login using their OpenID login and then login using the Acumatica login and password to relink the accounts. Unfortunately no one knows their Acumatica logins so after some digging I was able to build the following SQL script into a customization package we’ll run after the upgrade to populate the new OidcProviderUsers table with the proper information. The data in the OidcProviderUsers table is specific to the claim type setup with OpenID so it could be slightly different in other implementations.
INSERTINTO OidcProviderUsers (CompanyID,UserID,ProviderID,UserIdentityClaimType,UserIdentityClaimValue)
SELECT UI.CompanyID, UI.UserID, P.ProviderID,'email'AS'UserIdentityClaimType', UI.UserKey AS'UserIdentityClaimValue'FROM UserIdentity UI
LEFTJOIN OidcProvider P ON P.CompanyID=UI.CompanyID
LEFTJOIN OidcProviderUsers PU ON PU.CompanyID=P.CompanyID
AND PU.ProviderID=P.ProviderID
AND PU.UserID=UI.UserID
WHERE UI.CompanyID > 1AND UI.ProviderName='Okta'AND UI.Active=1AND P.Active=1AND PU.UserIdentityClaimValue ISNULL
David, I’ve got OneLogin w/ OpenID setup now so thank you! I did have a question though. How are you passing the email? Right now it errors out and says to login with form first. Once you do login with the form it ties the account but ideally we could pass the email as a parameter to the tenant right off the bat to do the matching.
We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.