We’ve developed some resources to help you work effectively from home during COVID-19 Click to learn more

Using SuperOffice as external identity provider for services like Okta or Auth0

Hi everyone

I'm trying to familiarize myself with the authentication flow, and all the api's of SuperOffice - and i think i understand most of it. So i'm building a sample angular application, that i'm trying to make authorization for. For that i will be using the Okta service. I have tried to setup SuperOffice as external identity provider, with OIDC - but i get an error - SuperOffice logs me in and redirects me back to the callback without an issue - but Okta doesn't seem to be able to process the token and log me in.

This is my setup of the identity provider in Okta:

The url's was found in the meta data file.

But all i get when trying to authenticate is this:

This is the log:

Anyone tried setting this up with Okta, or alternative services like Auth0?

I've been using this guide:

https://developer.okta.com/docs/guides/add-an-external-idp/openidconnect/create-an-app-at-idp/

thanks in advance

RE: Using SuperOffice as external identity provider for services like Okta or Auth0

HI Dennis,

No, we do not support Auth0 or Okta today. There just hasn't been a demand for it like there has for Google and Azure AD.

How often do you run into SuperOffice customers who would like this?

Best regards.

Von: Tony Yates 26. Jun 2020

RE: Using SuperOffice as external identity provider for services like Okta or Auth0

Just a followup question: What is the scenario you have where Okta is the identity gateway? Is there any configuration information that is missing from our metadata endpoint that Okta requires to succeed? We would like to help you if there is something we can do that is required and missing.

Does this Okta forums help you at all with the invalid_social_token error message?

Von: Tony Yates 26. Jun 2020

RE: Using SuperOffice as external identity provider for services like Okta or Auth0

Hey Tony

As i've mentioned to you directly earlier today, this is purely me playing with the possibilities of OIDC and the SuperOffice API's. The idea behind using Okta was to take a convenient shortcut of not having to make my own authorization application for an application, and since i though OpenID Connect was an open standard, i figured i could integrate SuperOffice OIDC Identity Provider in the same way i would connect Google, Facebook, Microsoft or other OIDC Identity Providers.

In other words, i haven't had any direct requests from customers or organizations that uses Octa, but i did find another forum post that asked for something similar:

https://community.superoffice.com/en/technical/Forum/rooms/topic/superoffice-product-group/crm-web-application/third-party-authentication-okta-with-superoffice/

I've checked the link you provided, and that's the exact same issue, and the configuration that guy has is similar to mine. Only thing that differs, is that i didn't contact Okta support yet. But i think i'll try it also - if you have any suggestions, it's obviously greatly appreciated - if i figure something out through Okta support, i'll obviously keep you all updated.

So when you're saying SuperOffice does not support Okta - does that mean that you specifically does not support Okta / Auth0 like services, or that you haven't tested compatibility? I mean, OIDC is OIDC after all right?

- or is there something i didn't understand correctly?

Thanks anyway as always :)

 

Von: Dennis Aagaard Mortensgaard 26. Jun 2020

RE: Using SuperOffice as external identity provider for services like Okta or Auth0

Hi Dennis,

Yes, OIDC is just OIDC, built on top of OAuth 2.0. Anything you find out about this error from Okta when connecting to SuperOffice would be appreciated. We of course would like to be reachable from that sense.

In terms of 'SuperOffice does not support Okta', that was meant when looking at SuperOffice as an Identity Provider Gateway, like we are for SuperID, Azure AD and Google. We have looked into supported others, such as Okta and Auth0, but haven't had a demand for it - resulting in low priority.

But coming back to the original point, yes, as long as the other platform can connect to an OIDC identity provider, then connecting to SuperOffice endpoints, as outlined in the metadata json doc, should be doable.

Be aware though that SuperOffice does not have a UserInfo endpoint - and optional OIDC endpoint, so that could possibly cause problems with certain libraries. Most libraries have the possibility to ignore that endpoint, but some expect it and try to call out to it anyway. That would be problematic.

Best regards!

 

Von: Tony Yates 29. Jun 2020