Curiosity supports User Management via Okta Single Sign-In (SSO). Rather than maintaining names, email addresses, and passwords for Users that may log into the application, you can connect with accounts that already exist in your Okta application (meaning that Users are not burdened with yet another password to remember).

To do so, you require four pieces of information:

  • an Okta "Domain"
  • an "Authorization Server Name"
  • a "Client ID"
  • a "Client Secret"

It is presumed that you already have an Okta account that you will be configuring to enable Curiosity SSO and that you have administrative privileges to make the changes to the Okta account. It is also presumed that you have an administrator account for your Curiosity application.

(If you are in the technical evaluation phase with Curiosity or Okta, Okta has a free trial option available at https://www.okta.com/free-trial/FRT that may be of interest if you do not already use Okta)

Creating an Okta application

Go to your Okta Developer Console, it will have a URL that looks something like on the following:

https://dev-123456-admin.okta.com

https://companyname-admin.okta.com

Ensure that you are logged in with an account that has access to make changes. If you are uncertain then try to follow the steps below and talk to your administrator if any of them result in any "unable to access" or "access denied" error.

Click on "Applications" in the top menu, then "Add Application"

Then select the "Web" option and click Next.

Enter a name such as "Curiosity SSO".

Click the "X" on the right-hand side of the pre-filled "Bare URIs" entry, as this option does not apply to this type of integration.

Do the same for "Logout redirect URIs" as this is also not required.

You need to tell the SSO process how to get back to Curiosity after a successful login, which is the purpose of the "Login redirect URIs" entry. The format of the URI is:

{domain}/api/oktasso/completed-login-attempt

If your Curiosity application is hosted by us then it will look something like this:

https://acmecompany.curiosity.ai/api/oktasso/completed-login-attempt

If you have installed a local instance of the application with the default settings then it will look like this:

http://localhost:8080/api/oktasso/completed-login-attempt

Change the pre-filled "Login redirect URIs" entry to the appropriate value.

Click "Done".

You now have an application configured and the summary page that you are on will show the "Client ID" and "client secret" values at the bottom.

(The Client ID will be a string around twenty characters long, consisting of lower case letters and numbers. The Client Secret will be a longer value, consisting of upper and lower case letters, numbers, and symbols.)

These are two of the four pieces of information required. To get the remaining two, click on "API" in the top menu and then "Authorization Servers".

Okta creates an "Authorization Server" called "default" automatically - this is the "Authorization Server Name" value that is required. This view also shows the Okta domain that is to be used, it is the "Issuer URI" value without the "/oauth2/default" path.

(You can create test users for this application by clicking on "Users" in the top menu and then "People" and then clicking "Add Person" to create a new account— for testing, it makes sense to select "Set by admin" for the password and to untick the "User must change password on first login box". You will then be able to use this newly-created to test logging into Curiosity.)

Entering the details into Curiosity

Click the menu button at the top left, then click "Settings", then "Accounts" and then "Single Sign-On".

(If you don't see a "Single Sign-On" option and the only item under "Accounts" is "Profile" then you are not logged into Curiosity with an administrator account)

Click "Okta" and then enter the Domain, Authorization Server Name, Client ID, and Client Secret.

Click "Save".

Okta SSO is now configured for this application.

To test it, log out (by clicking the user name at the top right and then clicking "Logout" in the panel that appears). The log in screen will now present a "Log in with Okta" option.

Click "Log in with Okta" and you will be redirected to an Okta page where you can enter credentials for an account related to the Okta application.

Click "Sign In" and you will be redirected back to the Curiosity application as a logged-in User relating to the email address that you specified.

If a User account does not exist in Curiosity for the email that you chose then one will automatically be created (so that it is possible for the Curiosity application administrators to set access rights and permissions). The email and name from the Okta account will be used to populate the account in the Curiosity application. If a User account already existed for the specified email then any permissions that have been set in will not be altered but the name will be updated if the name in the Okta account does not match the name in the Curiosity User account.

Removing the "Log in with Okta" option

If you wish to remove Okta SSO as an option for your Curiosity application then go back to Menu / Settings / Accounts / Single Sign-On / Okta, clear the "Domain" text, and click Save. This will remove all four pieces of SSO configuration from the Curiosity application and the "Log in with Okta" option will no longer be presented.

Troubleshooting

You must enter the Domain, Authorization Server Name, Client ID, and Client Secret values correctly. If any of them are wrong then you may experience one of the following:

  • If the Domain, Authorization Server Name, or Client ID are wrong then you will be shown an error from Okta as soon as you are redirected from Curiosity to Okta.
  • If the first three values are correct but the Client Secret is wrong then you will be able to select an account but you will receive an error when you are redirected back to Curiosity.

It is also of vital importance that the "Redirect URI" that you set in the Okta application earlier was correct. If it is not then you will receive an error when you are directed to the Okta login page:

Did this answer your question?