Single Sign On Setup (SSO)
Flow Capture offers a Single Sign-On (SSO) solution which incorporates authentication through either of the standard OpenID Connect or SAML 2.0 protocols. For the former, we support Connect Authorization Flow with PKCE security.
Setup for Okta has to be handled by someone who administers that within your organization, and the corresponding configuration on Flow Capture's end will be performed by a Flow Capture systems administrator. Those parties will need to securely exchange information such as the Open ID client secret.
What follows is a brief rundown of the steps required to configure up a standard SSO login in Okta.
How Single Sign-On Works
Flow Capture is a standalone application which maintains its own list of users with their own associated permissions, teams and folder or production-level assignments. Users on the platform may be created within our app ecosystem, or by an upstream provider such as Okta which would then automatically provision them into Flow Capture through the SCIM 2 protocol.
SSO allows a Flow Capture user to authenticate against an external identity provider such as Okta. We can be configured to allow sign in only through SSO, or a hybrid where that allows for both SSO and native Flow Capture logins are permitted.
When performing SSO:
- Users are sent from the Flow Capture webapp to the standard Okta login page.
- Login processing, password checking and MFA are all done at Okta’s side, using the Okta auth flows already defined by your organization.
- Okta calls back to Flow Capture after a successful login, passing an OpenID Connect access token. This token is validated independently in the Flow Capture frontend and backend components, and re-validated by Okta. When using SAML 2.0, Okta responds with a SAMLResponse object that is validated on the backend component.
- If everything checks out, a Flow Capture-specific login token is granted. No further communication with Okta occurs for the rest of the session.
Okta Application Setup for OpenID Connect SSO
This process is performed by an Okta administrator. Begin by logging into the Okta admin console and then create a new application using OpenID Connect and the Single Page App type.
Basic Parameters
The below information can be used to help you fill out the New Single-Page App Integration section.
If you have a custom Flow Capture domain that is not https://app.moxion.io, you may need to adjust the URLs listed below.
| Name: | Flow Capture |
| Base URI: | https://app.moxion.io |
| Login redirect URIs: | https://app.moxion.io/login/sso/callback io.moxion.ios:/callback |
| Logout redirect URIs: | None |
| Group Assignments: | As appropriate for the organization. Suggest a group such as “Flow Capture Users”. Your users will need to be assigned to this group to log into Flow Capture. |
| Authorization Code | On |
| Implicit | Off |
Adding a Flow Capture Icon to the Okta Landing Page
The default Okta landing page does not display a Flow Capture icon, but we recommend setting this up as it is a helpful feature to remind folks where they're logging in. Okta requires the Implicit flow be enabled to support this.
If that is acceptable from a security perspective, head in to edit the Okta application and change the following settings:
| Allowed Grant Types: | Enable Implicit (leave Authorization Code enabled) |
| Allow ID Token with implicit grant type: | Off |
| Allow Access Token with implicit grant type | On |
| Login initiated by | Either Okta or App |
| Display application icon to users | On |
| Display application icon in the Okta Mobile app | Off |
| Login flow | Redirect to app to initiate login (OIDC compliant) |
| Initiate login URI | https://app.moxion.io/login |
Finishing Up
Securely capture the Client ID and auth domain (issuer) and pass these back to Flow Capture support. We will work with you to configure the Flow Capture server with your client ID and IDP details.
Once that is done, your Flow Capture login page will have a new Sign In option. At this point, users that are present both in Okta and Flow Capture will be able to login via the Okta mechanism.
Okta Application Setup for SAML2.0 SSO
This process is performed by an Okta administrator. Begin by logging into the Okta admin console and create a new application and choose SAML 2.0 Sign-on method.
Basic Parameters
Use the information below to fill out the matching fields on the Create SAML Integration page.
If you have a custom Flow Capture domain that is not https://app.moxion.io, you may need to adjust the URLs listed below.
| Name: | Flow Capture |
| Single sign on URL: | https://apiprod.moxion.io/authenticate/user/saml2 |
| Audience URI (SP Entity ID): | https://apiprod.moxion.io/ |
| Default RelayState: | *** To be provided by Flow Capture Support *** |
| Name ID format: | EmailAddress |
| Application username: |
Finishing Up
Securely capture the IDP metadata object and pass it back to Flow Capture support and we will work with you to configure the Flow Capture server with your IDP details. The IDP metadata object can be found by clicking the View Setup instructions button.
Once that is done, your Flow Capture login page will have a new Sign In option. At this point, users that are present both in Okta and Flow Capture should be able to login via the Okta mechanism.
SCIM Provisioning
The ideal next step is to configure the auto-provisioning of Flow Capture users from Okta. This allows users onboarded and offboarded in Okta to flow through to Flow Capture automatically.
User provisioning from Okta to Flow Capture is achieved through Okta's SCIM 2 support. It requires setup and configuration of a SCIM app at Okta and the SCIM Gateway at Flow Capture.