How to configure OpenID connect authentication with Okta on the TIBCO Spotfire Server

Products	Versions
Spotfire Server	7.8 and higher

Description

This article describes the steps to configure OpenID connect authentication with Okta on the TIBCO Spotfire Server.

Resolution

Register an Okta account using the following URL : https://developer.okta.com/pricing/ and ensure to copy your Okta URL(For example: https://dev-186893.oktapreview.com/) after signing up.
Sign using your Okta URL with desired credentials

3. Change the dashboard by clicking on the “Developer Consoler” dropdown on the upper left-hand corner to “Classic UI”

4. The first step after switching to classic UI is creating an Application. To do this, click on Applications > Add Application > Create New App > Since it is web based choose ‘Web’ > OpenID Connect

5. That will redirect us to screen like below where you can give an application name and Login redirect URL which is Return end point URL from Spotfire.

6. For obtaining “Return end point URL” go back to Spotfire Server, open the TIBCO Spotfire Server Configuration Tool and navigate to "Configuration" tab, then click "OpenID Connect". Make sure you turn on Public Address first (save the public address change to the database first then restart the TIBCO Spotfire Server)

7. After you turn on public address, navigate back to "OpenID Connect", click "Copy URL" to copy the endpoint URL

8. Go back to Okta portal and provide redirect URL. After application registration is complete, you can tweak the settings like Allowed grant types, Login initiated as per your needs. For example, below are adjustments that we have tested internally.

**Important Note**:
For TIBCO Spotfire Server versions 10.7 and below: Ensure to select the 'Login Initiated by' option to be "APP" instead of "Either Okta or App" as it is not applicable for Spotfire application because Okta can only initiate the login for Web and SPA apps with the "implicit" grant type where as Spotfire by default uses "Authorization code" workflow.

For TIBCO Spotfire Server versions 10.8 and higher: Spotfire now supports third party initiated login (https://community.spotfire.com/articles/spotfire/whats-new-spotfirer-108/) which in the Okta case means that you could start an authentication flow by clicking the Spotfire app in the Okta portal.

To configure this you specify the following:

"Login initiated by": "Either Okta or App"
"Login flow": "Redirect to app to initiate login (OIDC Compliant)"
"Initiate login URI": https://example.com/spotfire/auth/oidc/v1/initiate

Due an Okta limitation (that has been reported and will hopefully be resolved soon) you also need to ensure that "Implicit (Hybrid)" is selected under "Allowed grant types" (Spotfire will still only use the Authorization Code flow).

9. Copy the client Id and client secret fur use in Step 11
10. Click on Assignments and ensure to assign the application to the users or groups.

11. Go back to the TIBCO Spotfire Server Configuration Tool, and enable “Okta” and make a document direct URL with Okta URL in the format like "https://dev-464575-admin.oktapreview.com/.well-known/openid-configuration" (Note: this Discovery Document URL returns OpenID Connect metadata about your authorization server. This information can be used by clients to programmatically configure their interactions with Okta). Copy the URL into "Discovery document URL", and add the "Client ID" and "Client secret" copied from Step 9. Name the provider and then click "Save configuration". Note: This external URL must be accessible from the TIBCO Spotfire Server machine.

12. Restart the TIBCO Spotfire Server service and launch the Spotfire web interface in the web browser. You will now see a button for Okta authentication.
13. Clicking the Okta button will then redirect to the Okta application login screen and provide the user credentials