Managing Admin Access to the Aidbox UI Using Okta Groups
Objectives
Configure integration with the Okta Identity Provider to enable secure login to the Aidbox UI
Manage administrative access to the Aidbox UI through Okta by assigning users to specific groups
Before you begin
Create an account in Okta development portal
Make sure your Aidbox version is newer than 2107
Setup the local Aidbox instance using getting started guide
Managing Admin Access to the Aidbox UI Using Okta Groups
Create a Client (Application) in Okta
Go to Applications -> Applications in Okta portal and click "Create App Integration" button.
Sign-in method: OIDC - OpenID Connect
Application type: Web Application

Enter Application details:
App integration name: Aidbox
Grant type:
Authorization Code
Refresh Token
Implicit (hybrid)

Sign-in redirect URIs:
http://localhost:8080/auth/callback/okta-identity-provider
Controlled access: Skip group assignment for now

Assign the application to your personal account in Okta:

Checkout Client ID and Client secret:

Create an IdentityProvider in Aidbox
Login to Aidbox UI.
Use REST Console to execute the request below.
<okta-domain>
should be your Okta domain, e.g.dev-43727041.okta.com
replace
<client-id>
and<client-secret>
with the actual values
PUT /fhir/IdentityProvider/okta-identity-provider
content-type: application/json
accept: application/json
{
"scopes": [
"profile",
"openid"
],
"system": "okta",
"authorize_endpoint": "https://<okta-domain>/oauth2/default/v1/authorize",
"token_endpoint": "https://<okta-domain>/oauth2/default/v1/token",
"userinfo-source": "id-token",
"client": {
"id": "<client-id>",
"secret": "<client-secret>",
"redirect_uri": "http://localhost:8080/auth/callback/okta-identity-provider"
},
"type": "okta",
"resourceType": "IdentityProvider",
"title": "MyOkta",
"active": true
}
Login into Aidbox using Okta user
Go to the Aidbox login page. You should see Sign in with MyOkta button.

Press this button and log in with Okta user into Aidbox.
You should not be able to see much in the Aidbox because there's no access policy for your user yet.
Relogin with admin and check the user created in Aidbox for your Okta user. Go to IAM -> User and click on the user ID.

User Resource is Aidbox is updated every time the user logs in using external Identity Provider. Source of the user information is configured using userinfo-source
element in IdentityProvider configuration resource.
Create the Aidbox-Admins group in Okta
In Okta go to Directory -> Groups and create group Aidbox-Admins

Add your user to the group

Customize ID token in Okta to include groups
In Okta go to Security -> API drill down to the default
authorization server go to Claims tab. Click Add Claim button.
name: groups
Include in token type: ID Token
Value type: Groups
Filter: Starts with: Aidbox-Admins
Include in: any scope

Make sure the group info from Okta is making into Aidbox
Relogin into Aidbox using Sign in with MyOkta button. The user is updated with Okta groups data. Relogin with admin and check.

Create the AccessPolicy
Use REST Console to execute the request
PUT /fhir/AccessPolicy/okta-admins-policy
content-type: application/json
accept: application/json
{
"engine": "matcho",
"matcho": {
"user": {
"data": {
"groups": {
"$contains": "Aidbox-Admins"
}
}
},
"request-method": {
"$enum": [
"get",
"post",
"put",
"delete"
]
}
},
"resourceType": "AccessPolicy"
}
Now you can relogin with your Okta user and the user will be granted admin access.
What's next
See more about Aidbox Security security-and-access-control
Last updated
Was this helpful?