This article will outline how to create and configure an application within an Okta environment, allowing us to collect System Logs for our reporting services.
Creating the Application
On the Okta Admin dashboard, a new application will need to be created using the OpenID Connect (OIDC) and Web Application settings for the Sign-in method and Application type, respectively.
Configuring the Application
General Settings
We will need to configure the Grant type and Sign-in redirect URIs here.
The Grant type will require the Refresh Token option, allowing us to continually collect System Logs without asking you to provide your credentials every time you want to view your Okta System Log reports.
On the other hand, the redirect URIs will be used to redirect you to the Block 64 website after successfully signing into Okta and allowing us to collect your System Logs. The URI is: "https://combine.block64.com/oauth2/OktaSystemLog/callback"
Assignments
Here, you can choose whether you would like anyone in your Okta organization to be capable of logging into this application from the Block 64 website with the "Allow everyone in your organization to access" option, or if you would like to assign access individually, you can choose this with the "Limit access to selected groups" option.
In our example, we will be allowing access to everyone in our Okta environment while also enabling the Federation Broker Mode option, which automatically assigns application access based on your Okta environment settings.
From here, you can save the application and continue to the next section.
Scopes and Assignments
We will require two scopes to be assigned to this application. This will allow us to call APIs on your behalf to collect information used for our reporting.
The two scopes we require can be found under the "Okta API Scopes" tab: they are the "okta.logs.read" and "okta.users.read" scopes, allowing us to fetch the Okta System Logs, as well as the users in your Okta environment.
These are read-only scopes, meaning we will only have access to viewing your data, not modifying it.
Finally, if you previously chose to assign access to this application individually rather than allowing access to all users in your Okta environment, we will need to assign user access to this application. This option can be found under the "Assignments" tab.
Important note: Regardless of the assignment method used, we need to ensure that the user in your Okta environment is either an administrator or has API access.
This setting can be found under Directory > People. From here you can click on the specific user and view their Admin roles. For our example, we will be signing the "API Access Management Administrator" role to the user.
Logging in
Now that we've made and configured the application, we can sign on by providing these credentials on the Block 64 website.
We'll need access to 3 credentials: your Okta domain name, and the Client ID and Client Secret for the application we just created.
Okta Domain
Here, the Okta domain would be "dev-0123456789.okta.com"
Application Client ID
Application Client Secret
Once this has been input and the save button is clicked, we'll require a user from your Okta environment with the appropriate API access to log in to their account. If they are already logged into Okta, this step will be skipped.
If the login is successful, the user will get a notification saying the credentials were successfully stored.