-
Select the API tab, and click Authorization Servers.
-
Click Add Authorization Server. Enter the following details:
Setting
Description
Name
The name of the authorization server
Audience
This is a GUID generated using the GUID website http://new-guid.com. The GUID must be in upper case.
You must keep a record of the generated GUID, as it is used as the Smart API Service ID scope for the authorization server.
Description
The description of the authorization server.
-
Click Save.
Take note of the Issuer and the Audience generated, as these will be used in the web.config file.
-
Select the Scopes tab, and click Add Scope.
-
In the Add Scope dialog box, set the following values:
-
Set the GUID generated in the Audience box as the Name.
-
Add a Description.
-
Select the Include in public metadata check box.
Do not select the Set as default scope check box.
-
Click Create.
-
-
Click Add Scope again, and provide the following values:
-
Type "ingr.api" as the name.
-
Select the Include in public metadata check box, and leave the Set as default scope check box clear.
-
Click Create.
-
-
Select the Claims tab, and click Add Claim.
-
In the Add Claim dialog box, create the following two claims:
Name
Value
Ingr.session_id
String.replace(String.replace(String.replace(Time.now(), ":", ""), "-", ""), ".", "")
name
String.join("",user.firstName,user.lastName)
The ingr.session_id claim needs to have some of the special characters removed from the standard Timestamp format, as it is used when creating temporary folders in the file server. The claim value needs to be updated to be the following value in the Okta configuration: String.replace(String.replace(String.replace(Time.now(), ":", ""), "-", ""), ".", "")
Retain the default values given in the Include in Token Type, Value Type, and Include In boxes.
-
You can add access policy depending on the client being used. The details about adding access policy for PKCE client and Client Credentials client is given below.
Add access policy for PKCE client
-
Select the Access Policies tab, and click Add Policy.
-
In the Add Policy dialog box, type the Name and Description.
-
In the Assign to box, select The following clients option and select your PKCE client and click Create Policy.
-
Click Add Rule.
Rules allow for the configuration of the token lifetime and expiration.
-
In the Add Rule dialog box, set the rules as shown in the following example:
Option
Detail
Rule Name
CommonUIPKCERule
IF Grant type is
Authorization Code
AND User is
Any user assigned the application
AND Scopes requested
Any scopes
THEN Access token lifetime is
1 Hour
AND Refresh token lifetime is
Unlimited
BUT will expire if not used every
7 Days
You can set the rule according to your requirements. The above table is only an example.
-
Click Create Rule.
Add access policy for Client Credentials client
-
Select the Access Policies tab, and click Add Policy.
-
In the Add Policy dialog box, type the Name and Description.
-
In the Assign to box, select The following clients option and select your Client Credentials client.
-
Click Add Rule.
Rules allow for the configuration of the token lifetime and expiration.
-
In the Add Rule dialog box, set the rules as the following example:
Option
Detail
Rule Name
CommonUICCIDRule
IF Grant type is
Client Credentials
AND User is
Assigned the app and a member of one of the following > Select a group.
AND Scopes requested
The following scopes > Select the scope
THEN Access token lifetime is
1 Hour
AND Refresh token lifetime is
Unlimited
You can set the rule according to your requirements. The above table is only an example.