Okta Setup Guide

Catalyst Blockchain Manager allows users to integrate with the OKTA platform for identity provision.

Along this guide, we show you how to set up you environment to enable the integration with OKTA.

1 - New Okta Setup

Navigate to Security → API
Select Default
Add a policy
Add a new rule and allow the following grants:
- Client credetials
- Authorization code
- Refresh token

Security→Authentication policies and click on add a Policy
Set the rule to require only passord
- Any client added switch to this login policy in this page.

Avoid this step in case you want MFA for every user created.

3 - Catalyst Client Setup

To use Catalyst we need to configure two new clients.

Clients can be found in Applications→Application

3.1 - UI CLient

The client the UI user will access, when creating choose the following options:

for Sign-in method choose: OIDC - OpenID Connect and for Application type choose: Single-Page Application
In Grant type select
- Authorization code
- Refresh Token
For Assignments→Controlled access choose: Allow everyone in your organization to access

Once the client has been created:

In the client page go to LOGIN→Sign-in redirect URIs and add the following urls
- <UI url>
- <UI url>/domains
- <UI url>/participants
- <UI url>/domains

3.2 - API Client

This client is used by the other components. When creating choose the following options:

For Sign-in method choose: OIDC - OpenID Connect and for Application type choose: Web Application
Go to the next form and on the Grant type select:
- Client Credentials
- Authorization Code
- Refresh Token
for Assignments→Controlled access choose: Skip group assignment for now

3.3 - Role Based Access

To configure the roles field for role based access these roles will be added to the token as claims access Profile Editor→User(default): * Select Add attribute choose string array set Display name as roles ** set Variable name as roles

Next, go to API→default:

Go to Claims and select Add Claim
Add Value: user.roles
Do the same but select Include in token type and select ID token

3.4 - User

The User has access to Catalyst Blockchain Manager console.

Go to Directory→People

Select Add person
Fill all required fields
in Activation select Activate now
select I will set password and fill the password
Deselect User must change password on first login
Select the newly created user
- In Profile edit the Attributes
- Add the following to roles:
  - canton_viewer
  - canton_writer

4 - Creating clients and users for the new validators

4.1 - CNS and Wallet clients

The clients for CNS and Wallet, when creating choose the following options, two separate clients can be created :

for Sign-in method choose: OIDC - OpenID Connect and for Application type choose: Single-Page Application
Go to the next form and in Grant type select:
- Authorization Code
- Refresh Token

for Assignments→Controlled access choose: Allow everyone in your organization to access

After creating the creating the validator go to the wallet page and obtain the wallet url this needs to be added to the redirect URI:

In the client page go to LOGIN→Sign-in redirect URIs and add that url

4.2 - Ledger Client

Client for the ledger, when creating:

for Sign-in method choose: API Services

4.3 - User

Now we configure the user to access the catalyst console

Navigato to Directory→People
Select Add person
- Fill all required fields
- In Activation select Activate now
- select I will set password and fill the password
- deselect User must change password on first login

5 - Obtaining the fields to create the Validator

CNS Client Id, Wallet Client Id, Ledger API Client Id: On Aplications→Applications a list of clients with IDsis displayed

Ledger API Client Secret:

Can be found on the client page

Ledger API User:

Same as the Ledger API Client Id by default on okta

Wallet User:

The username of the created user * Audience:

On Security→API check the Audience for the default Auth server