I want to integrate an authentication system

In Orquest, it is possible to integrate authentication systems based on Single Sign-On (SSO), enabling connection with various identity management platforms. This functionality allows clients to centralize credential management and ensure secure and efficient access to applications, both on mobile devices and web environments.

Through this integration, users can authenticate directly with their identity provider and access Orquest without the need to manage separate credentials. This approach enhances security and improves the user experience by simplifying the login flow.

Below are the necessary steps to configure the integration, detailing the differences between mobile and web applications, as well as key aspects to ensure optimal functionality.

Integration with Okta

Okta is a cloud-based identity and access management platform. It offers tools to implement secure authentication and authorization using Single Sign-On (SSO), Multi-Factor Authentication (MFA), and centralized user management. Thus, it allows organizations to unify access to their internal and external systems, improving security and simplifying the user experience.

Configuration for the Mobile Application

For access through the mobile application, the client must configure the following parameters:

  • Issuer: defined by the client.

  • Client ID: generated by the client in Okta.

  • Redirect URL: redirect URL provided by Orquest. This connects the SSO page to the mobile application.

The way this configuration is recognized in the mobile application is through an identifier that the user must enter to select the SSO client: in the Orquest login window, through the Sign in with SSO option, the user must enter this identifier which will load the necessary configuration to perform the login. Once the login is successful in Okta, the user is redirected back to Orquest with the session already started.

It is crucial that the email field matches between Okta and Orquest user records, as this is the attribute used to match identities, making the integration possible.

In short, during the login process in the app, the user must:

  1. Select the Login with SSO option.

  2. Enter the identifier associated with the client’s SSO configuration. This identifier loads the necessary data to interact with Okta and complete the login.

  3. Authenticate in Okta.

If the login is successful, Okta redirects the user back to the Orquest mobile app with the session started.

Configuration for the Web Application

The process is similar to the previous scenario, except that in this case, no identifier is needed to access the Okta redirect. Instead, a URL is set to redirect to the authentication system. A dual login can be set up to allow users to access with or without SSO, or SSO can be set as the only login method.

Upon accessing Orquest, the user may be automatically redirected to the Okta authentication URL, and once authentication is completed, Okta redirects the user back to the Orquest web application with the session started.

As in the mobile application, the email field must match between Okta and Orquest to ensure a successful integration.

Okta Integration Summary with Orquest

  1. Type of integration. OpenID Connect (OIDC) is used as the authentication protocol. It is authentication, not authorization. To create users, management will be done through the API, managing user roles defined in the system.

  2. User recognition. Identification of users with email as the unique identifier.

  3. Required Redirect URLs. Orquest will provide the redirect URLs for mobile and web depending on the client’s access method. For web redirection, a dedicated domain must be set up beforehand.

  4. Expected authentication flow:

    • Authorization Code Flow (OIDC).

    • The user is redirected to Okta for authentication.

    • Okta returns an authorization code which is exchanged for an ID Token and an Access Token.

    • The ID Token is validated and the session is created in Orquest.

  5. Technical data required from the client. The client must register the Orquest application in their Okta instance and define permissions and scopes, providing Orquest with the following information:

    • client_id.

    • client_secret.

    • issuer_uri.

    • Required scopes: profile, email, openid.

Once Orquest has this data, the system and the redirect URL can be configured.