Okta OpenID Connect

Okta can be set up as an OpenID Connect authentication provider to log users into a different Relativity instance.

Pre-requisites

  • To configure Okta as an OpenID Connect provider for Relativity, you, or your Okta admin, will need to set up the Relativity app in Okta. To complete this part of the configuration, follow the steps in the Okta documentation. During the process, select Web as the platform and OpenID Connect as the sign-on method. After completing the steps provided by Okta and customizing the steps for Relativity, you will navigate back to Relativity.

  • The Okta ‘Initiate login URI’ setting may need an HRD parameter. For more information, see Creating or editing a federated instance.

Configuring Okta OpenID Connect

In Relativity, navigate to the Authentication Provider tab. On the Authentication Provider, fill in the fields as follows:

Authentication provider information

  • Name—enter a user-friendly name for the authentication provider.

  • Provider Type—select OpenID Connect.

  • Enabled—the provider is enabled by default. However, you can disable it.

  • Site URL—set the URL that users enter in the browser to access an instance of Relativity.

    • Example—https://company.relativity.one/Relativity

Authentication provider settings

  • OAuth2 Flow—select Code.

  • Client ID—enter the Client ID from your Okta parameters Client ID.

  • Client Secret—enter the Client Secret from your Okta parameters client secret.

  • Display on login screen—determines if the OpenID Connect button displays on the login page.

  • Login Screen Button Text—determines the text that appears on the button displayed on the login page.

  • Authority URL—[the Okta domain parameter] (i.e. http://customer.okta.com). The Authority URL can be retrieved from the Sign On tab in Okta. If you go to the OpenID Connect ID Token section and in the Issuer area.

  • Scopes—the default value for this field is openid. The openid checkbox must be selected because it's a required setting. However, you can also select the email or profile option.

    The identity provider responds with the claims associated with the scopes that you request. In other words, the scopes translate into claims that you can use.

  • Subject Claim Type—the default value for this field is sub. Enter one of the following values based on the scopes that you set:
    • If you selected only OpenID in the Scopes field, this field must be set to sub.
    • If you selected OpenID and email in the Scopes field, set this field to email.
    • If you selected OpenID and profile in the Scopes field, set this field to a property available from the identity provider. These properties differ for each provider.

    The identity provider sends an identity token to you, which contains the claims for your selected scopes. When you request only the openid scope, then sub is used as the claim type. It often represents a unique identifier for the user within your system

Configure Okta

Once you configure the authentication provider, you'll need to assign it as a login method to your users. To complete the configuration in Relativity, navigate to the User and Group Management > Users tab. For complete steps on configuring an OpenID Connect login method, see OpenID Connect.