Control user access using Okta

 

This feature is available to AppSheet Enterprise Plus accounts only. See What features are supported with each subscription?

This is a preview release of Okta authentication. See product launch stages. Preview offerings are intended for use in test environments only. This feature is not recommended for use in production apps.

Okta authentication allows for user authentication for your apps. It is similar to using an OpenID provider but allows for Okta-specific features such as group controls to be used. For example, you may want to limit access to certain apps to the Sales Team and others to the Support Team. Using Okta as an authentication source allows this.

Currently, configuration of Okta authentication in AppSheet using an Okta account that has access to more than 10k groups may cause authentication errors. AppSheet is able to access only the first 10k groups that are returned from Okta. If the group is not in the returned list, attempts to use that group will cause user authentication to fail. As a workaround, use an Okta account that has access to a limited set of groups (less than 10k).

To set up authentication there are three steps:

  1. Create an Okta application
  2. Configure AppSheet to allow Okta
  3. Sign in using Okta

Create an Okta application

First, create a single sign-on application for AppSheet inside the Okta console.

  1. In the Application tab, click Add Application.
  2. Set the application type to Web.
  3. Set the callback URLs to be https://appsheet.com/Account/ELC and http://localhost:53519/Account/ELC
    Be sure to copy these exactly; capitalization is important. The second callback URL, with the localhost, is not strictly required; it would only be necessary if you requested us to debug your application at some point in the future.
  4. Optionally, add the user groups that you would like AppSheet to have access to.
  5. Click Done.

In the end it should look similar to what is below with a different Client ID and secret

Create Okta application

For more details on what each field means visit Setting up an auth-code application in the Okta documentation.

To allow for Okta-specific API calls, such as listing groups, you'll need an API token. In the Okta console, go to API tab and click Add Token. Follow the prompts and make sure to save your token somewhere because it will only be shown once. In the end you should have it listed similar to the screenshot below:

API token in Okta console

Without providing an API Token

Providing an API Token simplifies the process by allowing group listings but it is optional. If you'd rather not provide it there are two possible workarounds:

  1. Configure Okta to allow for Group Claims. See Okta's article on how to Create a Groups Claim for Okta Mastered Groups. When configuring AppSheet, leave the API Token field empty when creating an authentication domain and manually type in the case-sensitive Authentication Group in the app editor.
    Note: If the Group claims filter section is not configured as described in Add a groups claim for the org authorization server, then you might receive the following error: Unable to fetch group membership. The most likely reason is that your Okta config has not enabled group claims filter as Regex *.
  2. Create a separate Okta application with only access to specific group(s). In AppSheet, create a separate authentication domain for each Okta application. Leave the API Token field empty. In the app editor, specify the Authentication Domain corresponding to the desired group and leave the Authentication Group field empty in the app editor so it defaults to Everyone.

Configure AppSheet

Add Okta as an Auth Provider.

  1. Ensure your account has the Business plan so that you can use the Company Domain Authorization feature.
  2. Go to the Integrations > Auth Domain pane and click Add Auth Domain.
  3. Select Okta from the list
  4. Fill out the form which requires four fields:
    • Client ID, Client Secret: from the Okta application settings
    • Domain: from the Okta console. It should look like https://dev-12345.okta.com
    • API Token: the token generated from the Okta API tab

Click Authorize Access and Okta should be added to the list of authentication domains and you now have the option to add it to your apps.

Open the app that you wish to add domain authentication to and select Security > Domain Authentication. Select your newly created Okta domain as the Authentication domain source. Select Default as the Authentication domain and the Authentication group groups you setup in Okta should show up in the drop-down (or a text input if you didn't provide an API token). Select what group you want to give access to and select Save.

It is important to note that, due to caching, adding or removing a new member from an Okta group takes up to 15 minutes to take effect.

Sign in using an Okta group

Share the app with your end users, as described in Share: The Essentials. When the end user accesses the app, they will be prompted to sign in to the Okta group.

That's it! You should be able to login as a member of the specified group.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Search
Clear search
Close search
Google apps
Main menu
2172896170963246924
true
Search Help Center
true
true
true
false
false