Shop

Your Notifications (0)

There are currently no notifications. You're all set!

Demos Trials
Knowledge Base
ChemDraw and ChemOffice+ Products Signals Notebook E-Notebook and ChemBioOffice Enterprise Spotfire and Signals Spotfire Products Columbus Signals Image Artist
Downloads
Downloads
Community
Support Forums Ideas Portal Product Basics
About Support
Legal Resources Support and Maintenance Plans Product Life Cycle Support News
Contact Support

Spotfire Server: How to configure Okta OpenID Connect authentication

Rich Talbot
  • Updated

 

Solution:

This article describes how to configure OpenID Connect authentication with Okta in Spotfire Server.

 

1. Register for an Okta account using https://login.okta.com/ and make a note of your Okta URL (for example: https://dev-186893.okta.com/) after signing up.

2. Login to Okta using your credentials:

3. Navigate to Applications page on the left-side navigation bar:

4. Click on "Create App Integration", then select "OIDC - OpenID Connect" as sign-in method and "Web Application" as application type. Click "Next":

5. This will take you to a page where you can specify "Sign-in redirect URIs" and other application settings:

 

6. For “Sign-in redirect URIs”, go back to Spotfire Server, open the Spotfire Server Configuration Tool and navigate to "Configuration" tab, then click "OpenID Connect". Make sure you turn on Public Address first (save the Public Address change to the database first then restart the Spotfire Server):

 

7. After you turn on Public Address, navigate back to "OpenID Connect", click "Copy URL" to copy the "OpenID Connect Redirect URI" address:

 

8. Go back to Okta portal and paste the copied redirect URL in Sign-in redirect URIs field:

Make sure that Grant Type is set to "Authorization Code". All other settings are optional and can be left with default values. Click on "Next" button.

**Important Note**:
For Spotfire Server versions 10.8 and higher: Spotfire now supports third party initiated login (https://community.tibco.com/wiki/whats-new-tibco-spotfirer-108#toc-31) which in the Okta case means that you could start an authentication flow by clicking the Spotfire app in the Okta portal.

To configure this you specify the following:

  • "Login initiated by": "Either Okta or App"
  • "Login flow": "Redirect to app to initiate login (OIDC Compliant)"
  • "Initiate login URI": https://example.com/spotfire/auth/oidc/v1/initiate

Due an Okta limitation (that has been reported and will hopefully be resolved soon) you also need to ensure that "Implicit (Hybrid)" is selected under "Allowed grant types" (Spotfire will still only use the Authorization Code flow).

9. Copy the "Client ID" and "Client Secret" for use in next steps:

10. Click on "Assignments" tab and ensure to assign the application to the users or groups:

 

11. Go back to the Spotfire Server Configuration Tool, and add “Okta” provider by selecting "Add new provider" in "OpenID Connect" window. Copy your Okta values into "Discovery document URL", "Client ID" and "Client secret" fields (from Step 9 above). The "Discovery document URL" should be in a form https://<your-octa-domain.okta.com>/.well-known/openid-configuration. Note, this external URL needs to be accessible from the Spotfire Server machine.

Be sure to select "Enabled: Yes" for this new provider:

12. Click on "Save configuration", at the bottom of the window, and restart Spotfire Server service. 
                 

Documentation reference: Configuring OpenID Connect:

https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/configuring_openid_connect.html

 

External: Creating Okta account: https://www.okta.com/

External: Implement the Authorization Code Flow: https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/

 

Related articles