Skip to main content
Solved

OpenID integration with Okta


KurtBauer
Jr Varsity III
Forum|alt.badge.img

We are starting to test the new 2021 OpenID Provider integration with Okta and are receiving an error after the user enters their credentials on their Okta page and is redirected back to Acumatica.  I have attached a screenshot for reference.

I found some help on this Okta page for setting up OpenID.  Does anyone know if this is the proper guide to follow?

Create an App at the Identity Provider | Okta Developer

Thanks,

Kurt Bauer

Best answer by KurtBauer

David,

Thanks for the follow-up.  After working through a few support cases with Acumatica we have everything working for the client.  The client is tied to Okta since they use it for all of their other internal applications so we had to figure it out.

One item I’ll add if someone finds this in the future is the client had the previous Okta integration that was linked via the External Identities of the user record.  For the new OpenID integration each user would have needed to login using their OpenID login and then login using the Acumatica login and password to relink the accounts.  Unfortunately no one knows their Acumatica logins so after some digging I was able to build the following SQL script into a customization package we’ll run after the upgrade to populate the new OidcProviderUsers table with the proper information.  The data in the OidcProviderUsers table is specific to the claim type setup with OpenID so it could be slightly different in other implementations.

INSERT INTO OidcProviderUsers (CompanyID,UserID,ProviderID,UserIdentityClaimType,UserIdentityClaimValue)
SELECT UI.CompanyID, UI.UserID, P.ProviderID,'email' AS 'UserIdentityClaimType', UI.UserKey AS 'UserIdentityClaimValue'
FROM UserIdentity UI
	LEFT JOIN OidcProvider P ON P.CompanyID=UI.CompanyID
	LEFT JOIN OidcProviderUsers PU ON PU.CompanyID=P.CompanyID
		AND PU.ProviderID=P.ProviderID
		AND PU.UserID=UI.UserID
WHERE UI.CompanyID > 1 AND UI.ProviderName='Okta' AND UI.Active=1
	AND P.Active=1 AND PU.UserIdentityClaimValue IS NULL

 

View original
Did this topic help you find an answer to your question?

3 replies

david.harris
Acumatica Moderator
Forum|alt.badge.img
  • Acumatica Support Team Lead
  • 31 replies
  • July 13, 2021

Kurt,

Not promoting one over the other I found the how-to from ONELOGIN more comprehensive. 

What I did is setup a ONELOGIN using the following document then after setting this up I just followed the same concepts (different screens) and was able to get OKTA configured. 

 

https://developers.onelogin.com/openid-connect/connect-to-onelogin

https://help-2021r1.acumatica.com/(W(5))/Wiki/ShowWiki.aspx?pageid=900fcac3-dcca-4d54-b01a-62a09170be61

 

 


KurtBauer
Jr Varsity III
Forum|alt.badge.img
  • Author
  • Jr Varsity III
  • 46 replies
  • Answer
  • July 13, 2021

David,

Thanks for the follow-up.  After working through a few support cases with Acumatica we have everything working for the client.  The client is tied to Okta since they use it for all of their other internal applications so we had to figure it out.

One item I’ll add if someone finds this in the future is the client had the previous Okta integration that was linked via the External Identities of the user record.  For the new OpenID integration each user would have needed to login using their OpenID login and then login using the Acumatica login and password to relink the accounts.  Unfortunately no one knows their Acumatica logins so after some digging I was able to build the following SQL script into a customization package we’ll run after the upgrade to populate the new OidcProviderUsers table with the proper information.  The data in the OidcProviderUsers table is specific to the claim type setup with OpenID so it could be slightly different in other implementations.

INSERT INTO OidcProviderUsers (CompanyID,UserID,ProviderID,UserIdentityClaimType,UserIdentityClaimValue)
SELECT UI.CompanyID, UI.UserID, P.ProviderID,'email' AS 'UserIdentityClaimType', UI.UserKey AS 'UserIdentityClaimValue'
FROM UserIdentity UI
	LEFT JOIN OidcProvider P ON P.CompanyID=UI.CompanyID
	LEFT JOIN OidcProviderUsers PU ON PU.CompanyID=P.CompanyID
		AND PU.ProviderID=P.ProviderID
		AND PU.UserID=UI.UserID
WHERE UI.CompanyID > 1 AND UI.ProviderName='Okta' AND UI.Active=1
	AND P.Active=1 AND PU.UserIdentityClaimValue IS NULL

 


  • Freshman I
  • 3 replies
  • September 28, 2022

David,  I’ve got OneLogin w/ OpenID setup now so thank you!  I did have a question though. How are you passing the email?  Right now it errors out and says to login with form first. Once you do login with the form it ties the account but ideally we could pass the email as a parameter to the tenant right off the bat to do the matching.  

 

Josh 


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings