Single Sign On Setup (SSO)

Moxion offers a Single Sign-On (SSO) solution which incorporates authentication through either of the standard OpenID Connect or SAML 2.0 protocols. For the former, we support Connect Authorization Flow with PKCE security.

Setup for Okta has to be handled by someone who administers that within your organization, and the corresponding configuration on Moxion's end will be performed by a Moxion systems administrator. Those parties will need to securely exchange information such as the Open ID client secret. 

What follows is a brief rundown of the steps required to configure up a standard SSO login in Okta.

How Single Sign-On Works

Moxion is a standalone application which maintains its own list of users with their own associated permissions, teams and folder or production-level assignments. Users on the platform may be created within our app ecosystem, or by an upstream provider such as Okta which would then automatically provision them into Moxion through the SCIM 2 protocol. 

SSO allows a Moxion user to authenticate against an external identity provider such as Okta. We can be configured to allow sign in only through SSO, or a hybrid where that allows for both SSO and native Moxion logins are permitted.

When performing SSO:

  • Users are sent from the Moxion webapp to the standard Okta login page. 
  • Login processing, password checking and MFA are all done at Okta’s side, using the Okta auth flows already defined by your organization.
  • Okta calls back to Moxion after a successful login, passing an OpenID Connect access token. This token is validated independently in the Moxion frontend and backend components, and re-validated by Okta. When using SAML 2.0, Okta responds with a SAMLResponse object that is validated on the backend component.
  • If everything checks out, a Moxion-specific login token is granted. No further communication with Okta occurs for the rest of the session.

Okta Application Setup for OpenID Connect SSO

This process is performed by an Okta administrator. Begin by logging into the Okta admin console and then create a new application using OpenID Connect and the Single Page App type.

Basic Parameters

The below information can be used to help you fill out the New Single-Page App Integration section. 

If you have a custom Moxion domain that is not https://app.moxion.io, you may need to adjust the URLs listed below. 
Name: Moxion
Base URI: https://app.moxion.io
Login redirect URIs: https://app.moxion.io/login/sso/callback
io.moxion.ios:/callback
Logout redirect URIs: None
Group Assignments: As appropriate for the organization. Suggest a group such as “Moxion Users”. Your users will need to be assigned to this group to log into Moxion.
Authorization Code On
Implicit Off


Adding a Moxion Icon to the Okta Landing Page

The default Okta landing page does not display a Moxion icon, but we recommend setting this up as it is a helpful feature to remind folks where they're logging in. Okta requires the Implicit flow be enabled to support this. 

If that is acceptable from a security perspective, head in to edit the Okta application and change the following settings:

Allowed Grant Types: Enable Implicit (leave Authorization Code enabled)
Allow ID Token with implicit grant type: Off
Allow Access Token with implicit grant type On
Login initiated by Either Okta or App
Display application icon to users On
Display application icon in the Okta Mobile app Off
Login flow Redirect to app to initiate login (OIDC compliant)
Initiate login URI https://app.moxion.io/login

Finishing Up

Securely capture the Client ID and auth domain (issuer) and pass these back to Moxion support. We will work with you to configure the Moxion server with your client ID and IDP details. 

Once that is done, your Moxion login page will have a new Sign In option. At this point, users that are present both in Okta and Moxion will be able to login via the Okta mechanism.

Okta Application Setup for SAML2.0 SSO 

This process is performed by an Okta administrator. Begin by logging into the Okta admin console and create a new application and choose SAML 2.0 Sign-on method.

Basic Parameters

Use the information below to fill out the matching fields on the Create SAML Integration page.

If you have a custom Moxion domain that is not https://app.moxion.io, you may need to adjust the URLs listed below. 
Name: Moxion
Single sign on URL: https://apiprod.moxion.io/authenticate/user/saml2
Audience URI (SP Entity ID): https://apiprod.moxion.io/
Default RelayState: *** To be provided by Moxion Support ***
Name ID format: EmailAddress
Application username: Email

Finishing Up

Securely capture the IDP metadata object and pass it back to Moxion support and we will work with you to configure the Moxion server with your IDP details. The IDP metadata object can be found by clicking the View Setup instructions button.

Once that is done, your Moxion login page will have a new Sign In option. At this point, users that are present both in Okta and Moxion should be able to login via the Okta mechanism.

SCIM Provisioning

The ideal next step is to configure the auto-provisioning of Moxion users from Okta. This allows users onboarded and offboarded in Okta to flow through to Moxion automatically. 

User provisioning from Okta to Moxion is achieved through Okta's SCIM 2 support. It requires setup and configuration of a SCIM app at Okta and the SCIM Gateway at Moxion.