Single Sign On Setup (SSO)
Moxion offers a Single Sign-On (SSO) solution which incorporates authentication through either of the standard OpenID Connect or SAML 2.0 protocols. For the former, we support Connect Authorization Flow with PKCE security.
Setup for Okta has to be handled by someone who administers that within your organization, and the corresponding configuration on Moxion's end will be performed by a Moxion systems administrator. Those parties will need to securely exchange information such as the Open ID client secret.
What follows is a brief rundown of the steps required to configure up a standard SSO login in Okta.
How Single Sign-On Works
Moxion is a standalone application which maintains its own list of users with their own associated permissions, teams and folder or production-level assignments. Users on the platform may be created within our app ecosystem, or by an upstream provider such as Okta which would then automatically provision them into Moxion through the SCIM 2 protocol.
SSO allows a Moxion user to authenticate against an external identity provider such as Okta. We can be configured to allow sign in only through SSO, or a hybrid where that allows for both SSO and native Moxion logins are permitted.
When performing SSO:
- Users are sent from the Moxion webapp to the standard Okta login page.
- Login processing, password checking and MFA are all done at Okta’s side, using the Okta auth flows already defined by your organization.
- Okta calls back to Moxion after a successful login, passing an OpenID Connect access token. This token is validated independently in the Moxion frontend and backend components, and re-validated by Okta. When using SAML 2.0, Okta responds with a SAMLResponse object that is validated on the backend component.
- If everything checks out, a Moxion-specific login token is granted. No further communication with Okta occurs for the rest of the session.
Okta Application Setup for OpenID Connect SSO
This process is performed by an Okta administrator. Begin by logging into the Okta admin console and then create a new application using OpenID Connect and the Single Page App type.
The below information can be used to help you fill out the New Single-Page App Integration section.
|Login redirect URIs:|| https://app.moxion.io/login/sso/callback
|Logout redirect URIs:||None|
|Group Assignments:||As appropriate for the organization. Suggest a group such as “Moxion Users”. Your users will need to be assigned to this group to log into Moxion.|
Adding a Moxion Icon to the Okta Landing Page
The default Okta landing page does not display a Moxion icon, but we recommend setting this up as it is a helpful feature to remind folks where they're logging in. Okta requires the Implicit flow be enabled to support this.
If that is acceptable from a security perspective, head in to edit the Okta application and change the following settings:
|Allowed Grant Types:||Enable Implicit (leave Authorization Code enabled)|
|Allow ID Token with implicit grant type:||Off|
|Allow Access Token with implicit grant type||On|
|Login initiated by||Either Okta or App|
|Display application icon to users||On|
|Display application icon in the Okta Mobile app||Off|
|Login flow||Redirect to app to initiate login (OIDC compliant)|
|Initiate login URI|| https://app.moxion.io/login
Securely capture the Client ID and auth domain (issuer) and pass these back to Moxion support. We will work with you to configure the Moxion server with your client ID and IDP details.
Once that is done, your Moxion login page will have a new Sign In option. At this point, users that are present both in Okta and Moxion will be able to login via the Okta mechanism.
Okta Application Setup for SAML2.0 SSO
This process is performed by an Okta administrator. Begin by logging into the Okta admin console and create a new application and choose SAML 2.0 Sign-on method.
Use the information below to fill out the matching fields on the Create SAML Integration page.
|Single sign on URL:||https://apiprod.moxion.io/authenticate/user/saml2|
|Audience URI (SP Entity ID):||https://apiprod.moxion.io/|
|Default RelayState:||*** To be provided by Moxion Support ***|
|Name ID format:||EmailAddress|
Securely capture the IDP metadata object and pass it back to Moxion support and we will work with you to configure the Moxion server with your IDP details. The IDP metadata object can be found by clicking the View Setup instructions button.
Once that is done, your Moxion login page will have a new Sign In option. At this point, users that are present both in Okta and Moxion should be able to login via the Okta mechanism.
The ideal next step is to configure the auto-provisioning of Moxion users from Okta. This allows users onboarded and offboarded in Okta to flow through to Moxion automatically.
User provisioning from Okta to Moxion is achieved through Okta's SCIM 2 support. It requires setup and configuration of a SCIM app at Okta and the SCIM Gateway at Moxion.