Okta authentication allows for user authentication for your apps. It is similar to using an OpenID provider but allows for Okta-specific features such as group controls to be used. For example, you may want to limit access to certain apps to the Sales Team and others to the Support Team. Using Okta as an authentication source allows this.
To set up authentication there are three steps:
Create an Okta application
First, create a single sign-on application for AppSheet inside the Okta console.
- In the Application tab, click Add Application.
- Set the application type to Web.
- Set the callback URLs to be https://appsheet.com/Account/ELC and http://localhost:53519/Account/ELC.
Be sure to copy these exactly; capitalization is important. The second callback URL, with the localhost, is not strictly required; it would only be necessary if you requested us to debug your application at some point in the future. - Optionally, add the user groups that you would like AppSheet to have access to.
- Click Done.
In the end it should look similar to what is below with a different Client ID and secret
For more details on what each field means visit Setting up an auth-code application in the Okta documentation.
To allow for Okta-specific API calls, such as listing groups, you'll need an API token. In the Okta console, go to API tab and click Add Token. Follow the prompts and make sure to save your token somewhere because it will only be shown once. In the end you should have it listed similar to the screenshot below:
Without providing an API Token
Providing an API Token simplifies the process by allowing group listings but it is optional. If you'd rather not provide it there are two possible workarounds:
- Configure Okta to allow for Group Claims. See Okta's article on how to Create a Groups Claim for Okta Mastered Groups. When configuring AppSheet, leave the API Token field empty when creating an authentication domain and manually type in the case-sensitive Authentication Group in the app editor.
Note: If the Group claims filter section is not configured as described in Add a groups claim for the org authorization server, then you might receive the following error:
Unable to fetch group membership. The most likely reason is that your Okta config has not enabled group claims filter as Regex *.
- Create a separate Okta application with only access to specific group(s). In AppSheet, create a separate authentication domain for each Okta application. Leave the API Token field empty. In the app editor, specify the Authentication Domain corresponding to the desired group and leave the Authentication Group field empty in the app editor so it defaults to Everyone.
Configure AppSheet
Add Okta as an Auth Provider.
- Ensure your account has the Business plan so that you can use the Company Domain Authorization feature.
- Go to the Integrations > Auth Domain pane and click Add Auth Domain.
- Select Okta from the list
- Fill out the form which requires four fields:
- Client ID, Client Secret: from the Okta application settings
- Domain: from the Okta console. It should look like
https://dev-12345.okta.com
- API Token: the token generated from the Okta API tab
Click Authorize Access and Okta should be added to the list of authentication domains and you now have the option to add it to your apps.
Open the app that you wish to add domain authentication to and select Security > Domain Authentication. Select your newly created Okta domain as the Authentication domain source. Select Default as the Authentication domain and the Authentication group groups you setup in Okta should show up in the drop-down (or a text input if you didn't provide an API token). Select what group you want to give access to and select Save.
It is important to note that, due to caching, adding or removing a new member from an Okta group takes up to 15 minutes to take effect.
Sign in using an Okta group
Share the app with your end users, as described in Share: The Essentials. When the end user accesses the app, they will be prompted to sign in to the Okta group.
That's it! You should be able to login as a member of the specified group.