Okta Setup Guide
Catalyst Blockchain Manager allows users to integrate with the OKTA platform for identity provision.
Along this guide, we show you how to set up you environment to enable the integration with OKTA.
1 - New Okta Setup
Navigate to Security → API
Select Default
Add a policy
Add a new rule and allow the following grants:
Client credetials
Authorization code
Refresh token
2 - Login Policy
Security→Authentication policies and click on add a Policy
Set the rule to require only passord
Any client added switch to this login policy in this page.
Avoid this step in case you want MFA for every user created. |
3 - Catalyst Client Setup
To use Catalyst we need to configure two new clients.
Clients can be found in Applications→Application
3.1 - UI CLient
The client the UI user will access, when creating choose the following options:
for Sign-in method choose: OIDC - OpenID Connect and for Application type choose: Single-Page Application
In Grant type select
Authorization code
Refresh Token
For Assignments→Controlled access choose: Allow everyone in your organization to access
Once the client has been created:
In the client page go to LOGIN→Sign-in redirect URIs and add the following urls
<UI url>
<UI url>/domains
<UI url>/participants
<UI url>/domains
3.2 - API Client
This client is used by the other components. When creating choose the following options:
For Sign-in method choose: OIDC - OpenID Connect and for Application type choose: Web Application
Go to the next form and on the Grant type select:
Client Credentials
Authorization Code
Refresh Token
for Assignments→Controlled access choose: Skip group assignment for now
3.3 - Role Based Access
To configure the roles field for role based access these roles will be added to the token as claims access Profile Editor→User(default): * Select Add attribute choose string array set Display name as roles ** set Variable name as roles
Next, go to API→default:
Go to Claims and select Add Claim
Add Value: user.roles
Do the same but select Include in token type and select ID token
3.4 - User
The User has access to Catalyst Blockchain Manager console.
Go to Directory→People
Select Add person
Fill all required fields
in Activation select Activate now
select I will set password and fill the password
Deselect User must change password on first login
Select the newly created user
In Profile edit the Attributes
Add the following to roles:
3.5 - Add required fields to Helm charts
Fill in the following fields on the helm charts
url: ""
idApiOperator: ""
idUI: ""
secret: ""
auth.url: The issuer URI to obtain in the the Okta Admin interface:
Go to Security→API
Use the Issuer URI field shown in the default server
auth.client.idApiOperator: Select Applications→Applications and select API client we created and get the Client ID
auth.client.idUI: Select Applications→Applications and UI client we created and get the Client ID
auth.client.secret: Select Applications→Applications and API client we created and get the Client Secret
4 - Creating clients and users for the new validators
4.1 - CNS and Wallet clients
The clients for CNS and Wallet, when creating choose the following options, two separate clients can be created :
for Sign-in method choose: OIDC - OpenID Connect and for Application type choose: Single-Page Application
Go to the next form and in Grant type select:
Authorization Code
Refresh Token
for Assignments→Controlled access choose: Allow everyone in your organization to access
After creating the creating the validator go to the wallet page and obtain the wallet url this needs to be added to the redirect URI:
In the client page go to LOGIN→Sign-in redirect URIs and add that url
5 - Obtaining the fields to create the Validator
CNS Client Id, Wallet Client Id, Ledger API Client Id: On Aplications→Applications a list of clients with IDsis displayed
Ledger API Client Secret:
Can be found on the client page
Ledger API User:
Same as the Ledger API Client Id by default on okta
Wallet User:
The username of the created user * Audience:
On Security→API check the Audience for the default Auth server