Okta Configuration

To configure OneStream REST API to support Okta authentication for M2M application registration (grant_type = client_credentials), follow these steps:

  1. Configure the REST API Application Registration in Okta.

  2. (Optional) Add Authorization Servers and Scopes in Okta.

  3. Set Up the Web Server Configuration in OneStream.

  4. Configure the User in OneStream.

To enable single sign-on with Okta for the OneStream Desktop application, which includes the Windows Client application and the Excel Add-In, using OIDC protocol, see the Installation and Configuration Guide.

Configure the REST API Application Registration in Okta

To configure the REST API application registration, you need to copy the client ID from Okta and paste it into the Web Server Configuration in OneStream.

  1. Log in to your Okta account.

  2. In the Applications list on the left, select Applications.

  3. Click Create App Integration.

  4. In the Create a new app integration dialog box, for Sign-in method, select API Services.

  5. Click the Next button.

  6. On the New API Services App Integration page, in the App integration name field, enter the name of the Okta API application.

  7. Click the Save button.

  8. Copy the client ID. You will need to paste this into the Web Server Configuration in OneStream.

Add Authorization Servers and Scopes in Okta

To configure authorization servers, copy the authorization server ID from the issuer URI and the custom scopes from Okta and paste them into the Web Server Configuration in OneStream.

  1. Log in to your Okta account.

  2. In the Security list on the left, select API.

  3. Click the Add Authorization Server button.

  4. Enter a name and, in the Audience field, enter the client ID from the Okta application. See Configure the REST API Application Registration in Okta step 8.

  5. Click the Save button. The API page displays the list of authorization servers and the corresponding issuer URIs. You will need to paste the authorization server ID from the issuer URI into the Web Server Configuration in OneStream.

  6. To add a custom scope to support the Machine-to-Machine scenario, on the API page, select the authorization server.

  7. Select the Scopes tab.

  8. Click the Add Scope button.

  9. Enter the information and click the Create button. You will need to paste these custom scopes into the Web Server Configuration in OneStream.

Set Up the Web Server Configuration in OneStream

  1. Open the OneStream Server Configuration Utility application.

  2. Go to File > New Web Server Configuration File .

    NOTE: Alternatively, you can open an existing file to edit it.

  3. In the Web Server Configuration Settings section, click the ellipsis to the right of Single Sign On Identity Provider.

    The Web Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Web Server Configuration Settings section, Single Sign On Identity Provider is highlighted.

  4. Click the ellipsis to the right of Okta Identity Provider.

    The Single Sign On Identity Provider dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Identity Provider Specific Settings section, Okta Identity Provider is highlighted.

  5. In the Okta Identity Provider dialog box, in the General and REST API Settings sections, complete the following fields:

    • Okta Authorization Server ID: Enter the authorization server ID from the issuer URI in Okta. See Add Authorization Servers and Scopes in Okta step 5. Alternatively, use the default value by either typing default or leaving as default (blank).

      TIP: To view the list of authorization servers and the corresponding issuer URIs in Okta, in the Security list on the left, select API.

    • Okta Web Api Client ID: Enter the client ID from the Okta application. See Configure the REST API Application Registration in Okta step 8.

    • Okta Web Api Custom Scopes: Enter custom scopes, or leave as default (blank). See Add Authorization Servers and Scopes in Okta step 9.

    • Okta Web Api Authorization Server ID: Enter the server ID if using a custom authentication server, or leave as default (blank).

    The Okta Identity Provider dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, Okta Authorization Server ID is highlighted. And, in the REST API Settings section, Okta Web Api Client ID, Okta Web Api Custom Scopes, and Okta Web Api Authorization Server ID are highlighted.

  6. Click the OK button.

  7. Save changes and reset IIS.

    NOTE: Reset IIS after you save any changes to the Application Server Configuration or Web Server Configuration.

Configure the User in OneStream

  1. In the OneStream Desktop application, go to System > Security > Users > <user>.

  2. In the Authentication properties, complete the following fields for REST API authentication through Okta.

  3. Click the Save icon.