Knowledge Base Home

SSO Configuration

Okta Single Sign-On (SSO) Setup

To create a new 6Clicks application (type: SPA OpenID Connect) in Okta, you will need administrative permissions. The steps are:

Create groups matched to 6clicks roles.
Create the application.
Assign the groups to the application.
Assign group claims from the assigned groups to your ID token.

Okta: Create Groups

The SSO process is used to allocate 6clicks roles to each user. This requires each user to be in a group that matches at least one valid 6clicks role, displayed in the 6clicks SSO dashboard.

In Okta → Directory → Groups → Add group. Each 6clicks role needs to be put added to a group with the prefix ‘6clicks-role-’:

6clicks-role-Administrator
6clicks-role-Users
6clicks-role-CustomRole1

Okta: Create the Application

Log in to the Okta admin console.
Select Applications from the Applications menu. Click on the "Create App Integration" button.

Select OIDC - OpenID Connect
Select "Single-Page App (SPA)" as the platform type.

Finish setting up the Application

Give the application a name, such as "6Clicks - Tenant Name"
Download a 6clicks logo from our Media Kit: https://www.6clicks.com/hubfs/6clicks%20Brand%202023/Logo/6clicks%20Logo%20Lime.png
Grant type should be set to ‘Authorization Code’.
Sign-in redirect URIs: https://{6clicks host name}/account/login (e.g. https://app-au.6clicks.io/account/login)
Sign-out redirect URIs: https://{6clicks host name}/account/login (e.g. https://app-au.6clicks.io/account/login)
Assignments: <add in the groups created in the previous step>.

Enable Login from Okta Dashboard

In the application General Settings select 'edit'

Untick ‘require consent’.

Change ‘login initiated by’ to ‘Either Okta or App’.
Application visibility: tick both boxes as required.
Login flow: Redirect to the app to initiate login (OIDC Compliant).
Initiate login URI: https://{6clicks host name}/account/initiate-sso?clientId={client Id of Okta application} (e.g. https://app-au.6clicks.io/account/initiate-sso?clientId=0o12vabsj123)
Save.

Save the Client ID

The Client ID of your new Okta application will be required to finish the 6clicks setup, so please copy and save it somewhere for later.

Okta: Add Groups to ID Token

Okta has two ways different authorization servers, the Okta Organisation Auth Server (commonly called the "org authorization server") and Custom Authorisation servers (which includes the ‘default’ custom server). Below are the instructions for both types of auth servers.

Using a custom Okta authorization server

Custom Server Issuer URI

The issuer URI is shown for all the custom authorization servers within the Okta Admin Console under Security → API → Authorisation servers. Copy the relevant Issuer URI to add to your 6clicks SSO setup.

Edit the custom authorization server you wish to use. We will be setting up a custom claim and a custom access policy and using the existing OpenID spec. ‘profile’ scope. Our example will use the default custom server, but you can use any custom server your organization is already using or add a new one.

Custom Claim

In the Claims tab, click add claims.

Name: 6clicksRoles (it has to be this name).
Include in token type: ID Token Always.
Value type: Groups
Filter: Starts with 6clicks-role-
Include in: The following scopes: profile.

Custom Access Policies

Head to the Access Policies tab and choose ‘Add New Access Policy’. Name the policy and assign it to your 6clicks application.

Now you will need to add at least one rule, by selecting your policy and clicking the ‘Add rule’ button.

The rule should be set up with the following attributes:

Rule name: Free format.
The grant Type is: Authorization Code.
User is Any user assigned to the app.
Scopes requested: The following scopes: openid profile email groups.

We recommend disabling the default Okta policy. The access token and refresh token lifetimes can be configured to align with your risk tolerance.

Testing your Token

You can now test that the roles attribute, with a 6clicksAuthRoles group, is added to an ID Token for this application. Please ensure that the setup above is finished and you have at least one user assigned to a valid 6clicks group within Okta.

Click on the Token Preview tab.

Oath/OIDC client is your 6clicks application.
Grant type: Authorization code.
The user must be assigned to a valid group, which needs to be assigned to the application (see above).
Scopes: open profile email

You should see a roles attribute in the id_token with the corresponding groups.

Using the Okta Organisation Server (org server)

We recommend where possible to use an Okta custom server. If you need to use the Okta org server, it is important to check the ‘Include Groups Scope in Authorisation' option in 6clicks.

Org Server Issuer URI

The Issuer URI for the Okta org auth server is: https://{yourOktaDomain} you will need this to finish the 6clicks setup, so please note it down somewhere.

Setting up the Group Claim

In the application Sign On tab, click ‘edit’ in the OpenID Connect ID Token section.

Keep the group claim type as Filter and make the filter: 6clicksRoles ‘starts with’ 6clicks-role-.

Now, when a user logs into the "6Clicks - Tenant Name" application, the group claims will be included in the ID token, with the group names being the role names.

Finish 6clicks Setup

You should now have an Okta Client (application) ID and an Issuer URI. Armed with this information head back to 6clicks to finish the 6clicks SSO setup.