Okta Portal SSO

Use Okta as Identity Provider to login to Halo portal using SSO.

Prerequisites

Okta authorization server configured for Halo (see Okta Authorization Server)

Register your app in Okta

Create app integration

Login to Okta Admin Console → Navigate to Applications -> Applications.
Click Create App Integration → Choose OIDC - OpenID Connect.
Click Single-Page Application.

Configure app integration

Configure the following settings:
- App integration name: e.g. Glasswall Halo Portal
- Grant type: Choose below 3 options
  - Authorization Code
  - Refresh Token
  - Implicit (hybrid)
- Sign-in redirect URIs: e.g. https://<your-halo-domain>/authentication/login-callback
- Sign-out redirect URIs: e.g. https://<your-halo-domain>/authentication/logout-callback
- Controlled access: Choose Allow everyone in your organization to access. Or select only specific groups if you want to limit the access to few people.
- Unselect Enable immediate access with Federation Broker Mode.

Screenshot: Halo Portal Client

Save application and note client ID

Save the Application and note the Client ID.
```
export PORTAL_CLIENT_ID=""
```

Screenshot: Portal client id

Grant API scopes

Navigate to Okta API Scopes tab in the application and grant below scopes.
- okta.myAccount.email.read
- okta.myAccount.profile.read
- okta.users.read
- okta.users.read.self

Screenshots: Portal Okta API Scopes

Note issuer URI and audience

From the authorization server configured in the prerequisite step, note the Issuer Metadata URI and VALID_AUDIENCE:

export OKTA_ISSUER_URI="https://<your-okta-domain>/oauth2/<authorization-server-id>"
export OKTA_ORIGIN="https://<your-okta-domain>"
export VALID_AUDIENCE="api://halo"

Add access policy for portal

Navigate to the authorization server's Access Policies tab (Security -> API -> select your authorization server -> Access Policies).
Add a new access policy:
- Name: e.g. Portal SSO Access
- Description: e.g. Access policy for Halo Portal SSO users
- Assign to: the Portal SPA client created above (search by name Glasswall Halo Portal)
Add a rule:
- Name: e.g. Allow Portal Users
- Grant type: Authorization Code
- User is a member of: Everyone (or restrict to a specific group, e.g., Halo-Admin, if you want to limit Portal access)
- Leave other settings as defaults or adjust as needed.

Screenshot: Access policy for Portal SSO Screenshot: Add rule

Update Portal service

export HALO_DOMAIN=<your-halo-domain>
helm upgrade --install cdrplatform-portal cdrplatform-portal -n cdrplatform --reuse-values \
  --set configuration.AutoAdmin=false \
  --set configuration.BackendScope="email openid profile" \
  --set configuration.BackendUrl="https://${HALO_DOMAIN:?}" \
  --set configuration.EnabledPages="SystemSettings\,PolicySettings\,IcapSettings\,IcapRequests\,IcapReporting" \
  --set configuration.OIDC.ProviderOptions.Authority="${OKTA_ISSUER_URI:?}" \
  --set configuration.OIDC.ProviderOptions.ClientId="${PORTAL_CLIENT_ID:?}" \
  --set configuration.OIDC.ProviderOptions.PostLogoutRedirectUri="https://${HALO_DOMAIN:?}/authentication/logout-callback" \
  --set configuration.OIDC.ProviderOptions.RedirectUri="https://${HALO_DOMAIN:?}/authentication/login-callback" \
  --set appenvironment.HTTP_CSP_CONNECT_SRC="'self' ${OKTA_ORIGIN:?}" \
  --set appenvironment.HTTP_CSP_FRAME_SRC="'self' ${OKTA_ORIGIN:?}" \
  --set appenvironment.HTTP_CSP_FRAME_ANCESTORS="'self' ${OKTA_ORIGIN:?}" \
  --set ingress.enabled=true \
  --set ingress.tls.domain="${HALO_DOMAIN:?}" \
  --set ingress.tls.enabled=true \
  --atomic

Update Portal-Access service

helm upgrade --install cdrplatform-portal-access -n cdrplatform cdrplatform-portal-access --reuse-values \
  --set configuration.Authentication__Schemes__Bearer__Authority="${OKTA_ISSUER_URI:?}" \
  --set configuration.Authentication__Schemes__Bearer__ValidAudiences__0="${VALID_AUDIENCE:?}" \
  --set configuration.Authentication__Schemes__Bearer__ValidIssuer="${OKTA_ISSUER_URI:?}" \
  --set configuration.AuthenticationScheme="Bearer" \
  --set configuration.CORSDOMAIN="'*'" \
  --set ingress.enabled=true \
  --set ingress.tls.domain="${HALO_DOMAIN:?}" \
  --set ingress.tls.enabled=true \
  --atomic

Provide access to users

There are 2 roles in Halo - User and Admin. Roles are configured via group membership on the Okta authorization server (see Define Roles).

To provide user role, add the user to the Halo_User group.
To provide admin role, add the user to the Halo_Admin group.

Prerequisites​

Register your app in Okta​

Create app integration​

Configure app integration​

Save application and note client ID​

Grant API scopes​

Note issuer URI and audience​

Add access policy for portal​

Update Portal service​

Update Portal-Access service​

Provide access to users​