Connect to Okta IDP using public/private JWT key pairs.

This article describes how to connect to Okta IDP using a public/private JWT key pair.

About Public/private key pair

Note

Creating an application in Okta with access to Okta application management APIs requires private_key_jwt as the authentication method. To use this method, a public/private key pair is needed.

Generate a public/private key pair according to the instructions in Create a public/private key pair.

Prerequisites

You have an Okta account.

Create a service app

Create a service application in Okta by following guidelines in Create a service app.

Grant scopes

  1. Go to your Okta organization portal and select Applications from the menu bar.

  2. From the applications list, select your new service application.

  3. In your new application view, go to the Okta API Scopes tab.

  4. In the Okta API Scopes view, grant two scopes:

    • okta.apps.manage
    • okta.groups.read

Note

Keep your Okta application page open in your browser so that you can check its details when needed in the subsequent steps.

Connect Okta IDP

  1. Go to the ACP administrator portal and log in with your credentials.

    Result

    The administrator portal is displayed.

  2. Make sure you are in the Consumer workspace (selectable from the left sidebar) and click on ADD IDENTITIES to add a new connection.

    Result

    The Add provider view shows and lists available predefined IDP templates.

  3. Select the Okta template, enter the name for your new identity provider, and click Next.

    Result

    The Register Okta view opens with blanks for details on your Okta IDP.

  4. In the Register Okta view

    1. Enter Domain, which is the domain of the Okta authentication service for your organization, for example, dev-316761.okta.com.

    2. Enter Client ID of your application.

      Note

      Check your client ID in the application page in your Okta organization portal (see Result in step 5 of Create a service app).

    3. Enter your RSA private key in the PEM format into the Client private key field starting with —–BEGIN RSA PRIVATE KEY—– and ending with —–END RSA PRIVATE KEY—–.

    Example

    —–BEGIN RSA PRIVATE KEY—– MIIEpQIBAAKCAQEAuuKyULocNVEqOjWUGWVhC6nHmlSy9j6UsPJjG5rQPYcTHp2a pIQA4WpufkljDpwsZrFrLUwCkVt8hf2q0Y6pcxoJaxN4ROAgsS0VfjNqtazXxgW6 A1XvjI+xlii6MHcvopaHsSGsHSZ7h6ng4bWlzINR6yljrIG6F5k1VaAvH/nbXls5 7MnbNt7ZuIHEdVsKzp4R6QefkDdawt0/wwMDQf87mRGB6GCKBuFPOdejNLM7IfM6 2xpJ2HuSlcIvB1Zxy0yhugSjps9wNBHFWpwbo4j9btKItayFxzCXRWrOJVZHrp+C yve5eY2gSuEce8rDoP8vQer0GOeR2aYrTph2WwIDAQABAoIBAHNxA5swS6p3t7D7 Vb+WSyssNjtUJLRNlgXzxFrR99556MqZqmQDkpOr7hMefA0TVa4d3Em/0To/HB2c w37tNCkApV66SSmqlSc85TDuy/TrjuIouW3EENRwEs/h2pmDli5F9A3r8eiT0+zK eDqUvZUmbVzpVUPDYtOe9T4uU83YtyuD95WF28ZryvJBBA6zt1I+Gk0Tfz2zwR2K 3LsRe4vTdT1ZR97zpmmjHZ00sHXwWtH1X2WVg9M4B0ooFywGf2kHmDJZYBDsJRlf rsuvY6cnvI4OHAMIZn8B8PLawR1G1YCvBOizlvczpbZukra0h0c4e47UStEPLVNj kE5dndECgYEA8VOL3Q25BUZ/TxY+ghwt0OkN0cg2AKjkfI0rxxOscJKxX/4d3E+o rYqyMVU3e77I6JsrmHEWSEE83m5WQenR4bhWwF5Q5GaiGmi0ogAjuKB5AUQOXqIF vKsV6MmdsD2mAqzUelYAv+2ge3uJQClFkLBL2uWexZm4zkLZ52r+hLkCgYEAxj+7 UPK8XnIWJAUR43bA9xtPzyR+gDHaq1wFXy0AD8ot+T7TXP/qsDr9gzVbjRI8psFi 2JHv9skOpA2GHEBBdBuKp7sxHFOVQFw7x6IKQiafx7hXkwkh939YPhUIAlPSun2c 767A2/JqgrJQ3aLKhNOgO8jusFaCUNyphmhscbMCgYEA52y3M8V1KRnx/GXYi+16 Al18YzEcmIVemBLJaJ/1Pf9vGh8Xg67gk4vuVmDiVEkhYe9sX0QTmjb1qFknXw5b t5qPlurbqCzER48hqjl4CBXb9NrO7PFzjvqCiDrQfbKhAO+805SmI2g9/iz58g2i KJ7oH4MUP2qrTyHM1aBFdAECgYEAmLtc2l5HlRObzyBAydchjr5x3AonkyfVaZM5 aDvJAmEmzhEC0XEwI5ku2jjvUV2tcGMofeTg1GXNa8IngfhW9NaLGfHzQfl60Ny+ CWzjLleHXVy9yz+L9ZscJqgZRYHCpX5Eu7sMReca+5nZBwd1sqM/nQ+OJDhhqV53 FF+6vFUCgYEA6Lmqi8U2bQEGcKViVFv82JHkBSAI+x4qmgWN6gegehhLkm1hBOOu 1qsyC/iPDbUPhQqZKBBTl2sXsln2f9+xSWZraOPORBljpEMi3hrtIW3Un+pNKC0y GEGDJQ6SHdy+BtRmabUGG3uqVFjUqwTnBxwjJRmcW5wLdBhQSM37g+Y=
    —–END RSA PRIVATE KEY—–

    Note

    To convert a JWK key to the PEM format, you can use a range of JWK-to-PEM convertors available online.

  5. Select Save at the bottom of the page.

Result

Your new identity provider has been created and listed in the Consumer Identity Providers view.

Enable the stateful authorization

This step is optional.

To have the user’s data cached in ACP and avoid re-authenticating within one use’s session, follow the instruction in Enable the stateful authZ in ACP.

User’s test

Purpose

Test your new IDP as a user

Prerequisite

Your provider is configured as a user-authentication method by your administrator.

Test

  1. Go to https://localhost:8443/default/default/demo and select LOG IN TO DEMO APP.

  2. Select your configured IDP (if you have multiple ones) and, next, authenticate in IDP.

Result

ACP displays the consent page that lists data scopes to be shared with the application. When you proceed to the application (ALLOW ACCESS), the PII data coming from IDP is delivered through the access token and the ID token generated by ACP.

Read more

For information on granting and managing ACP consents, see ACP OAuth consents.

Developer’s test

Purpose

Test your new IDP as a developer

Prerequisite

Your provider is configured as a developer-authentication method by your administrator. To register your IDP for the developer, follow instructions in Connect Okta IDP, this time selecting the Developer workspace in step 2.

Test

  1. Go to https://localhost:8443/app/default/developer to access the ACP developer portal.

  2. Log in to your account by entering your login credentials and selecting LOG IN.

Result

You are logged in to the ACP developer portal with the newly-configured IDP.