Register the Visualization Data Service Application Server as an ‘Application’.
-
Select the Applications tab and click Add Application.
-
In the Create New Application screen, select OAuth Service and click Create.
-
In the General Settings section, enter an Application Name such as ‘VDS Client’ and click Save.
-
Note the Client ID for the next step.
-
In the application Web Client, find the Client Application object created earlier (or find the default object that is already in the database) and update it.
-
Update the Client application ID to match the Client ID value from Okta.
-
In Okta, find the client application site’s Authorization Server (Security > API > Authorization Servers), select the Access Policies tab, and click Add New Access Policy.
-
In the Add Policy dialog, set the policy as shown in the following example:
Name
Description
Assign to
VDS Client Access Policy
Access policy for VDS Client
VDS Client
-
Click Create Policy.
-
Click Add Rule.
Rules allow for the configuration of the token lifetime and expiration.
-
In the Add Rule dialog, set the rules as shown in the following example:
Option
Detail
Rule Name
VDS Client Token Rule
IF Grant type is Client acting on behalf of itself
Client Credentials
IF Grant type is Client acting on behalf of a user
AND User is
Any user assigned the application
AND Scopes requested
Any scopes
THEN Access token lifetime is
1 Hour
AND Refresh token lifetime is
Unlimited
BUT will expire if not used every
7 Days
-
Click Create Rule.
Make sure all client application, VDS APIs, and all access policies are active. Inactive access policies can result in errors when you try to view the model.
Okta Components
When you complete the Okta setup for both your VDS Web and Application servers, your Okta system consists of the components listed below. For detailed installation and setup information, see your Okta documentation.
-
Local Okta Users:
-
Users created as necessary for access to the application web client.
-
One specific user created for user impersonation with a matching user defined in the client application that has your required role assignments.
-
-
Local Okta Group for the client application user authentication with all required Okta users included in the group.
-
Authorization Server for the client application site with access policies added.
-
Authorization Server for the VDS Web Server with:
-
Access policies that are added for the client application
-
A matching VDS Connection object defined in the client application.
-
-
Application for the client application using Proof Key for Code Exchange (PKCE) authentication with the local Okta group assigned.
-
Application for the VDS Application Server using the Client Credentials authentication flow with:
-
The local Okta group assigned.
-
A matching Client Application object defined in the client application.
-