T15-2026 - How to integrate OKTA with Discoverant 2026 SP1

Program

BIOVIA Discoverant

Operating System

All supported operating systems

Description

This document outlines the configuration steps required to integrate Okta with Discoverant applications. To support this integration, two application types must be configured:

• Web Application (for Discoverant Web Applications)
• Native Application (for Discoverant Rich Client)

OKTA Configuration Guide

Web Application Configuration

1. Sign in to your Okta account as an administrator.
2. In the Okta Admin Console, navigate to Applications > Applications.
3. Click Create App Integration.
4. In the Create a new app integration dialog box,
   1. Select OIDC – OpenID Connect as the sign-in method.
   2. Select Web Application as the application type.

   3. Click Next.

      The New Web App Integration screen appears.

5. Configure the General Settings:

   1. In the App Integration name field, enter a recognizable name.

      For example: My Web App

   2. Under Grant type, select Authorization Code.
6. Configure Sign-in Redirect URIs:

   1. In the Sign-in redirect URIs field, add each of the following URIs.

      https://[HOST_NAME]:[PORT_NUMBER]/discoverant-admin/oktaCallback
      https://[HOST_NAME]:[PORT_NUMBER]/discoverant-hvu/oktaCallback
      https://[HOST_NAME]:[PORT_NUMBER]/discoverant-kn/oktaCallback
      https://[HOST_NAME]:[PORT_NUMBER]/discoverant-primr/oktaCallback
      https://[HOST_NAME]:[PORT_NUMBER]/discoverant-quickassist/json/okta_callback
      https://[HOST_NAME]:[PORT_NUMBER]/discoverant-ws/oktaCallback
      https://[HOST_NAME]:[PORT_NUMBER]/discoverant-hdml-api/oktaCallback

Notes:

• The hostname in all redirect URIs must be lowercase. Using uppercase may cause authentication failure.
• If you use multiple hostnames, add each hostname individually or enable wildcard support (if allowed), For example: https://*.dsone.3ds.com:18443/discoverant-admin/oktaCallback

7. Configure Sign-out Redirect URIs:

   1. In the Sign-out redirect URIs field, add the following URI to enable PRIMR double signature:

      https://[HOST_NAME]:[PORT_NUMBER]/discoverant-primr/oktaLogout

      Note: The hostname in all redirect URIs must be lowercase. Using uppercase may cause authentication failure.

   2. Click Save to complete the Web Application configuration.

Retrieve Client ID and Client Secret to use in Discoverant

After creating the application, retrieve the credentials required for the Discoverant configuration.

1. In the Okta Admin Console, navigate to Applications > Applications.
2. Select your application, and then open the General tab.
3. Under Client Credentials, ensure Client Authentication is set to Client Secret.
4. Copy the Client ID.
5. Under Client Secrets, click Generate new secret, and then copy the Client Secret.

Native Application Configuration

1. Sign in to your Okta account as an administrator.
2. In the Okta Admin Console, navigate to Applications > Applications.
3. Click Create App Integration.
4. In the Create a new app integration dialog box,
   1. select OIDC – OpenID Connect as the Sign-in method.
   2. Select Native Application as the Application type.

   3. click Next.

      A New Native App Integration screen appears.

5. Configure General Settings:

   1. In the App Integration name field, enter a recognizable name.

      For example: My Native App

   2. Under Grant type, select Authorization Code.
6. Configure Sign-in Redirect URIs,

   1. In the Sign-in redirect URIs field, add the following URIs.

      https://[HOST_NAME]:[PORT_NUMBER]/discoverant-web-util/okta-Callback

Note: The hostname in all redirect URIs must be lowercase. Using uppercase may cause authentication failure.

1. Click Save to complete the Native Application configuration.

Retrieve Client ID to use in Discoverant

After creating the application, retrieve the credentials required for the Discoverant configuration.

1. In the Okta Admin Console, navigate to Applications > Applications.
2. Select your application, and then open the General tab.
3. Under Client Credentials, ensure Client Authentication is set to None and PKCE (Proof Key for Code Exchange) is enabled. This is required for secure authorization in native applications.
4. Copy the Client ID.

Users and Group Assignment

After configuring each application, you must assign users or groups who are permitted to use it. Repeat this step for both the Web Application and Native Application.

1. In the Okta Admin Console, navigate to Applications > Applications.
2. Select your application, and then open the Assignments tab.
3. Click Assign, then choose either of the following:

• Assign to People - Add individual users
• Assign to Groups - Add groups

4. Click Done.

Additional Configuration for Org Authorization Server

You can choose to use either the Okta Org Authorization Server (default, non-customized) or a customized authorization server. If you are using the Okta Org Authorization Server (default, non-customized), enable the following settings to ensure compatibility with Discoverant authentication.

1. In your application, go to the General tab, and locate the General Settings section.
2. Click Edit, then navigate to Advanced Settings for Grant type and expand it.
3. Enable the following options:

• Implicit (Hybrid)
• Allow ID Token with implicit grant type

4. Click Save.

Group Claims Configuration

To ensure that user group information is included in the ID token for Discoverant authorization, configure group claims as follows:

1. In the Okta Admin Console, navigate to Applications > Applications.
2. Select your application, and then open the Sign On tab.
3. Expand Show legacy configuration  under Token claims.
4. Click Edit.
5. Configure the Group Claims settings:

a. In the Group claim type field, select Filter.

b. In the Group claim filter section, choose one of the following options based on your         requirement:

• Matches regex - to include groups using a regular expression pattern.
• Starts with - to include groups based on a naming prefix.

c. To include all groups, select Matches regex and enter:  .*

6. Click Save to apply the configuration.

Configuration for Custom Authorization Server (Optional)

If you use a custom Authorization Server, additional configuration is required to include group claims.

Access Authorization Server

1. In the Okta Admin Console, navigate to Security > API > Authorization Servers.
2. Perform one of the following actions:

• Select an existing Authorization Server, or
• Click Add Authorization Server to create a new one.

Claims Configuration

1. Open the selected Authorization Server.
2. Navigate to the Claims tab.
3. Click Add Claim, and configure the following:

• Name: groups (must be exactly "groups")
• Include in token type: ID Token (Always)
• Value type: Groups

4. Under Filter, configure one of the following:

• Use an appropriate filter based on your group structure, or
• To include all groups, select Matches regex and enter:  .*

5. Under Include in, select Any scope.
6. Click Create to save the claim.

Access Policy Configuration

1. Navigate to the Access Policies tab for the selected Authorization Server.
2. Create a policy if one does not already exist.
3. Under the policy, click Add rule.
4. Configure the rule with the following settings:

• Authorization Code should be selected for Grant type.
• Client Credentials and Device Authorization grant types should be unselected.

5. Configure additional settings (such as user conditions, scopes, and token lifetime) based on your organizational requirements.
6. Click Create rule to save the configuration.

Additional Notes

• Any settings not explicitly mentioned in this document may be left as default or configured as needed.
• Ensure consistency between configured values and your Discoverant environment.

How to contact BIOVIA Support

If you have any questions, please contact BIOVIA Support.