Enabling SSO Authentication for PowerFlow
ScienceLogic PowerFlow supports external authentication via Dex, which bridges OpenID Connect (OIDC) Identity Providers (IdPs) like Okta to PowerFlow. This guide outlines configuring Okta as an OIDC IdP, enabling user and group-based login.
- Important: All third-party IdP related configurations should be performed by the organization’s Identity and Access Management (IAM) team and must comply with corporate security policies.
- SaaS Deployments: This article applies to on-premises instances of PowerFlow. For SaaS-hosted PowerFlow, submit a request via the ScienceLogic Support Portal with your Dex connector config.
Overview
This guide walks through the following:
- Setting up Okta as an OIDC IdP
- Making Okta’s /default server accessible to Dex
- Optionally including group claims
- Configuring the Dex connector
- Supporting group/non-group logins
- Testing and Validation
- Summary
Prerequisites
Before beginning, ensure the following are available:
- Access to Okta admin console (e.g. <org>.okta.com)
- A DNS name or IP for Dex callback endpoint (e.g. https://<IP>:5556/dex/callback)
- Admin Okta account
Step 1: Register a Web App in Okta
Start by creating a new OIDC app integration in Okta:
- Navigate to Applications → Create App Integration
- Choose:
- Sign-in method: OIDC – OpenID Connect
- Type: Web App
- Configure the application:
- App Integration Name: PowerFlow
- Grant type: Authorization Code (Default)
- Sign-in redirect URI: https://<IP>:5556/dex/callback
- Sign-out redirect URI https://<IP>:5556/logged-out.html
- Controlled access: Skip group assignment for now
- Click on Save and note the Client ID and Client Secret - Required to configure the Dex connector
Step 2: Assign Users or Groups
- Click Assignments within the newly created application.
- Assign to individuals or pre-created groups
Step 3: Allow Access to Okta’s /default Authorization Server
Okta’s authorization server (/oauth2/default) requires policy rules to allow access by external clients like Dex and to enable Groups scope to be transmitted in the token.
To configure access:
- Go to Security → API → Authorization Servers → default → Access Policies
- Add/Edit a policy rule:
- Name: Allow Dex
- Assign to: All clients or specific client
- Grant Types: Implicit and Authorization Code
- Scopes: Ensure openid, email, profile, and optionally groups are allowed
- Save and activate the rule
Step 4: Include Group Claims in ID Tokens (Optional)
If group-based access is desired, a custom claim must be added:
- Go to Security → API → Authorization Servers → default → Claims
- Click Add Claim:
- Name: groups
- Token: ID Token
- Enable Always include in token
- Value type: Groups
- Filter: .* (to include all groups, or restrict as needed)
- Include in: Any scope or groups
- Save the claim
This ensures group data is included in tokens Dex uses to perform identity mapping.
Step 5: Configure the Dex Connector
Edit '/etc/iservices/isconfig.yml' and append the following:
DEX_CONNECTORS:
- type: oidc
id: okta
name: Okta
config:
issuer: https://[instance].okta.com/oauth2/default
clientID: [your-client-id]
clientSecret: [your-client-secret]
redirectURI: https://[powerflow-ip-or-host]:5556/dex/callback
basicAuthUnsupported: true
insecureSkipEmailVerified: true
insecureEnableGroups: true
userNameKey: email
scopes:
- openid
- profile
- email
- groupsNote: Omit groups in scope if not using group-based access. PowerFlow will authenticate user's based on the user’s email address.
- issuer: Must match the exact Okta authorization server URL
- redirectURI: Should match what is registered in the Okta app
- scopes: Include groups only if using group-based claims
- userNameKey: Determines how the username is derived (e.g., email)
Apply Configuration
1. Redeploy the Docker Stack:
# Remove stack
docker stack rm iservices
# Wait for shutdown
docker service ls
# Redeploy
docker stack deploy -c /opt/iservices/scripts/docker-compose.yml iservices --resolve-image never
# Verify
docker service ls3. Monitor Dex Logs:
# docker service logs -f iservices_dexserver Step 6: PowerFlow User and Groups Configuration
In PowerFlow UI:
- Go to Admin Panel → Add User Group:
- Match Okta group name (e.g, Operator) or email where group-based access is not configured in IdP
- Assign permissions
- Click Create User Group
Step 7: Testing and Validation
1. Verify Authentication:
- Access the PowerFlow login page and initiate OIDC login.
- Confirm redirection to Okta and successful login.
2. Monitor Dex Logs:
# docker service logs -f iservices_dexserver Check for success:
login successful: connector "OKTA", username="jane.doe@domain.com", email="jane.doe@domain.com", groups=["Operator"]Step 9: Troubleshooting
|
Issue |
Solution |
|---|---|
|
Groups Scope not exposed |
Check policy rule under default server includes appropriate grant types and scopes |
|
Redirect URI mismatch |
Check Dex’s redirectURI exactly matches Okta app’s redirect URI |
Refer to Step 7.2 above for details on reviewing the Dex logs.
Summary
Integrating Okta (or another OIDC IdP) with PowerFlow via Dex enhances security, simplifies access, and supports both user and group‑based login. By following the outlined the above steps ensuring proper authentication setup —organizations can integrate SSO effectively while maintaining secure access controls. For assistance, contact ScienceLogic Support.
For further details related to PowerFlow authentication and DEX connectors, refer to the official ScienceLogic documentation.
Moderator