In this document learn how to configure your Diskover system with Okta OAuth. We’ll go through each setting in Diskover and call out where this is found in Okta.

In your Diskover UI, navigate to Diskover Admin → Web → OAUTH:

Starting at the top ->

• Enable OAuth2 Logins: This must be checked for Oauth2 workflows to work. It is highly advised you know your local admin login creds before toggling this on OR off to ensure a misconfiguration doesn’t block you from further accessing the system.

• OAuth2 Client ID and OAuth2/Okta Client Secret: In Okta go to Admin Console → Applications → Diskover app (Diskover application will need to be created in Okta):

• OAuth2 Redirect URI and OAuth2 Auth Endpoint: These are your Diskover system url appended with /login.php?callback and /login.php respectively.

• EX: for https://zstall.diskoverdata.com

• OAuth2 Auth Endpoint, OAuth2 Token Endpoint, OAuth2 Logout Endpoint, and OAuth2 API URL Base: For this you will need to find the specific url in Okta for the Security API Authorized Servers. Clients can make a custom Authorized Server for diskover or use the default. The difference is that the default in the url will become an ID string. This is found in Okta in Admin Console → Security → API → Authorized Servers (in the example you can see a default and diskover authorized server, you do not need both):

• OAuth2 API Type: Okta

• OAuth2 API Token (OPTIONAL): Make sure to click the check box to enable OAuth2 Use Okta Token. Token in Okta is in Admin Console → Security → API → Tokens. Generate a new token and copy it into Diskover (Note: Token is only exposed during creation):

• OAuth2 ADMIN Groups: These are groups that will be passed from the Okta groups scope, or if configured a custom scope. These must match exactly to the groups in Okta. Admin groups can access the Admin tab. NOTE: Admins will also need to be added to the task panel group to see both.

• OAuth2 Task Panel Groups: These are groups that will be passed from the Okta groups scope, or if configured a custom scope. These must match exactly to the groups in Okta. Users in this group will be able to see the task panel only.

• OAuth2 Groups Scope: Default is groups. Can be configured in Okta. The custom scope will be set in Admin Console → Security → API → Authorization Server (being used for diskover) → Scopes. In this example, we are using OAUTH2:

Then in Claimes, you will need to add a custom claim that uses your scope, and matches on your groups to pass to Diskover. In this example, the groups I want to pull in are OAUTH2_USER_ATTR and OAUTH_GROUP_ATTR. Because of this naming convention, in my custom claim I want to match any group with OAUTH in the name:

Now in Diskover, I can set my OAuth2 Groups Scope to OAUTH2. When users login, now Okta will send this custom scope OAUTH2 and Diskover will know to look for it as the attribute that has our Diskover groups to check for:

Note: If the OAuth2 Groups Scope is set as groups then ALL groups will be passed from Okta to Diskover.