Configuring OKTA SSO for the Personal Archive VSTO Add-In

How to configure OKTA SSO for the Personal Archive VSTO Add-In

Overview

This article describes how to configure Okta Single Sign-On (SSO) for the Personal Archive (PA) Outlook VSTO Add-In. It covers user setup, application integration, group configuration, client credential configuration, and authorization policy configuration in the Okta Admin Console.

Prerequisites

Before you begin, ensure that the following requirements are met:

• Access to the Okta Admin Console.
• The Personal Archive VSTO Add-In is deployed.
• Required users are available in Okta.
• You have permission to create and configure applications and authorization policies in Okta.

Configuration process

Add Users in Okta

1. In the Okta Admin Console, go to Directory > People.
2. Add new users if required.
3. Confirm that the target users appear in the active users list. Refer to the sample image below:

Manage Groups in Okta

1. In the Okta Admin Console, go to Directory > Groups.
2. Locate and open the default Everyone group. This group includes all users by default Refer to the sample image below:

Create Application Integration

1. Go to Applications > Applications.
2. Click Create App Integration and select OIDC - OpenID Connect and choose Native App.

Example App Created: App Name: VSTO AddIn / Client ID: 0oanp3azxgjeqcLz55d7

Configure Client Credentials For Application

App Settings (General tab):

• Client authentication: None (PKCE flow enabled)
• PKCE: Require PKCE as additional verification
• App type: Native

Login URIs:

• Sign-in redirect URI: http://localhost:5000/authorization-code/callback.
• Sign-out redirect URI: http://localhost:5000/signout

Federation Broker Mode

• Please set Federation Broker Mode as disabled.

Important Information for Configuring the OKTA SSO Provider

Record the following key values, as these will be referenced in the application configuration file for the OKTA SSO provider. (These values varies with customer):

• Domain: https://dev-47544291.okta.com 
• Client ID: 0oanp3azxgjeqcLz55d7
• Redirect URI: http://localhost:5000/authorization-code/callback 

Retrieve the Domain (Issuer URL): 

1. In the Okta Admin Console, select Security > API > Authorization Servers. 
2. Click the "default" authorization server.
3. Under the Settings tab, locate the Issuer field. The Issuer looks like https://dev-xxxxxxx.okta.com/oauth2/default.
4. From this, extract the domain portion - https://dev-xxxxxxx.okta.com. Use this domain value in your configuration file.

Configure Sign-On Settings for Application

1. Inside the selected app, access the Sign On tab.
2. Specify the following settings:

• Sign-on method: OpenID Connect
• Token Credentials:
• Signing credential rotation: Automatic
• OpenID Token Settings:
• Issuer: Dynamic (based on request domain)

Note: If the Password-only authentication policy is unavailable, create a custom authentication policy with a password-only rule and assign it to the target application.

Assign Users to the Application

1. Inside the app, access the Assignments tab.
2. Click Assign > Assign to People.
3. Assign the app to intended users.

Add an Authorization Server Access Policy and Rule **important**

1. In Okta Admin, select Security > API > Authorization Servers.
2. Open default.
3. On the Access Policies tab, do the following:
   
4. Click Add New Access Policy, and specify the following:
   
5. Inside that new policy, click Add Rule and set the Grant type as shown below.
   
   - User Is: Any user
   - Scopes: include everything your app requests. Select “The following scopes” and click “OIDC default scopes” link, then the necessary scopes will be populated for you. Just use these scopes.
   
6. Click Save.

Note:

• Authentication Policy controls how a user proves identity (for example, password or MFA).
• Authorization Server Access Policy controls whether tokens are issued for a specific client, scope, and grant type.