This guide details the steps required to configure Keyless as a passwordless authentication solution for your Okta cloud instance.
Keyless and Okta deliver true passwordless authentication for the workforce and for consumers.
This document provides a step-by-step introduction for configuring Okta to work with Keyless. In this guide Keyless will be set up as both an OpenID Connect service provider and a OpenID Connect identity provider for Okta.
The OpenID Connect SP configuration is configured to allow users to authenticate with Okta into the Account Linking page.
The OpenID Connect IdP configuration allows enrolled users to authenticate with Keyless to get access directly into their Okta portal or Okta enabled apps.
The OpenID Connect SP configuration is configured to allow users to authenticate with Okta into the Account Linking page.
Prerequisites
Login and Logout redirect URIs provided to you by Keyless.
Log into your Okta administration portal.
Go to "Applications" on the top menu and click "Applications"
Click "Add Application"
Click "Create New App"
Select 'Web' as the platform and "OpenID Connect" as the Sign on method then click the "Create" button.
Name the app "Keyless Account Linking". You can also optionally provide an App logo here, which will display as an icon in the user's portal.
Add the login and logout redirect URI that were provided to you by Keyless.
The new application has just been created. On the page that shows up, click on the "Edit" button and change the allowed grant types by selecting Implicit (Hybrid) -> Allow ID Token with implicit grant type and Allow Access Token with implicit grant type.
On the Assignments tab in that same page, click on the Assign button -> Assign to Group. Here you can choose which group of users will access the application. In this case we will choose “Everyone”, which will let every user of the org use the Keyless account linking application.
Back on the General tab, on the bottom of the page, take note of the Client Id and of the Client Secret that Okta provided to you and pass them on to Keyless through a secure 3rd party method.
The OpenID Connect IdP configuration allows enrolled users to authenticate with Keyless to get access directly into their Okta portal or Okta enabled apps.
From your Admin dashboard, go to "Security" on the top menu and click "Identity Providers":
Click "Add Identity Provider" and select "Add OpenID Connect IdP"
In the following screen configure the following:
Values are extracted from the well-known file you received from Keyless.
If you don’t want to assign through JIT (Just in Time) provisioning to a specific group, select the option “Redirect to sign-in page” under If no match found. This will block the use of the Keyless authentication as a profile master, letting Okta account system manage user’s subscription to the org.
In the end of the configuration, click on Update Identity Provider. On the Identity providers page, you will see that your IdP has been created. If you expand its information view, you will see all the details you need to use the external IdP on a deployed Keyless Auth service. Take note of the IdP ID and Redirect URI.
At this stage, please provide Keyless with the following through a secure channel:
Client ID and Secret of Account Linking App.
Client ID and Secret of Identity Provider.
IdP number and redirect URI of the Identity Provider.
Under "Identity Providers" go to "Routing Rules" to configure which users and groups will have access to the Keyless Identity Provider and will use Keyless as their authentication method.
Make sure that the Keyless Account Linking application is configured to use the default Okta identity provider (as the first rule) so that users will be able to link their account properly.
Field
Value
Name
"Keyless"
Client ID
[an ID of your choice, which will need to be provided to Keyless]
Client Secret
[an ID of your choice, which will need to be provided to Keyless]
Scopes
email, openid, profile
Field
Value
Issuer
issuer
Authentication Endpoint
authorization_endpoint
Token Endpoint
token_endpoint
JWKS Endpoint
jwks-uri
User Info Endpoint
userinfo_endpoint
Field
Value
IdP Username
idpuser.externalId
Match Against
Okta Username
Account Link Policy
Automatic
Auto-Link Restrictions
None
If no match is found
Create New User (JIT)
Profile Source
check
Group Assignments
None