# T15-2026 - How to integrate OKTA with Discoverant 2026 SP1

This document outlines the configuration steps required to integrate Okta with Discoverant applications.

## Program

BIOVIA Discoverant

## Operating System

All supported operating systems

## Description

This document outlines the configuration steps required to integrate Okta with Discoverant applications. To support this integration, two application types must be configured:

- Web Application (for Discoverant Web Applications)
- Native Application (for Discoverant Rich Client)

**IMPORTANT!** You must have Okta Administrator access to complete these configurations.

### <a name="_Toc123897288"></a>OKTA Configuration Guide

### Web Application Configuration

1. Sign in to your Okta account as an administrator.
2. In the **Okta Admin Console**, navigate to **Applications &gt; Applications**.
3. Click **Create App Integration**.
4. In the **Create a new app integration** dialog box,
    1. Select **OIDC – OpenID Connect** as the sign-in method.
    2. Select **Web Application** as the application type.
    3. Click **Next**.

        The New Web App Integration screen appears.
5. Configure the General Settings:
    1. In the **App Integration name** field, enter a recognizable name.

        For example: My Web App
    2. Under **Grant type**, select **Authorization Code**.
6. Configure Sign-in Redirect URIs:
    1. In the **Sign-in redirect URIs** field, add each of the following URIs.

        https://\[HOST\_NAME\]:\[PORT\_NUMBER\]/discoverant-admin/oktaCallback
        https://\[HOST\_NAME\]:\[PORT\_NUMBER\]/discoverant-hvu/oktaCallback
        https://\[HOST\_NAME\]:\[PORT\_NUMBER\]/discoverant-kn/oktaCallback
        https://\[HOST\_NAME\]:\[PORT\_NUMBER\]/discoverant-primr/oktaCallback
        https://\[HOST\_NAME\]:\[PORT\_NUMBER\]/discoverant-quickassist/json/okta\_callback
        https://\[HOST\_NAME\]:\[PORT\_NUMBER\]/discoverant-ws/oktaCallback
        https://\[HOST\_NAME\]:\[PORT\_NUMBER\]/discoverant-hdml-api/oktaCallback

**Notes:**

- The hostname in all redirect URIs must be lowercase. Using uppercase may cause authentication failure.
- If you use multiple hostnames, add each hostname individually or enable wildcard support (if allowed), For example: [https://\*.dsone.3ds.com:18443/discoverant-admin/oktaCallback](https://*.dsone.3ds.com:18443/discoverant-admin/oktaCallback)

7. Configure Sign-out Redirect URIs:
    1. In the **Sign-out redirect URIs** field, add the following URI to enable PRIMR double signature:

        https://\[HOST\_NAME\]:\[PORT\_NUMBER\]/discoverant-primr/oktaLogout

        **Note:** The hostname in all redirect URIs must be lowercase. Using uppercase may cause authentication failure.
    2. Click **Save** to complete the Web Application configuration.

### Retrieve Client ID and Client Secret to use in Discoverant

After creating the application, retrieve the credentials required for the Discoverant configuration.

1. In the **Okta Admin Console**, navigate to **Applications &gt; Applications**.
2. Select your application, and then open the **General** tab.
3. Under **Client Credentials**, ensure **Client Authentication** is set to **Client Secret**.
4. Copy the **Client ID**.
5. Under **Client Secrets**, click **Generate new secret**, and then copy the **Client Secret**.

### Native Application Configuration

1. Sign in to your Okta account as an administrator.
2. In the **Okta Admin Console**, navigate to **Applications &gt; Applications**.
3. Click **Create App Integration**.
4. In the **Create a new app integration** dialog box,
    1. select **OIDC – OpenID Connect** as the Sign-in method.
    2. Select **Native Application** as the Application type.
    3. click **Next**.

        A New Native App Integration screen appears.
5. Configure General Settings**:**
    1. In the **App Integration name** field, enter a recognizable name.

        For example: My Native App
    2. Under **Grant type**, select **Authorization Code**.
6. Configure Sign-in Redirect URIs,
    1. In the **Sign-in redirect URIs** field, add the following URIs.

        https://\[HOST\_NAME\]:\[PORT\_NUMBER\]/discoverant-web-util/okta-Callback

**Note:** The hostname in all redirect URIs must be lowercase. Using uppercase may cause authentication failure.

1. Click **Save** to complete the Native Application configuration.

### Retrieve Client ID to use in Discoverant

After creating the application, retrieve the credentials required for the Discoverant configuration.

1. In the Okta Admin Console, navigate to **Applications &gt; Applications**.
2. Select your application, and then open the **General** tab.
3. Under **Client Credentials**, ensure **Client Authentication** is set to **None** and **PKCE (Proof Key for Code Exchange)** is enabled. This is required for secure authorization in native applications.
4. Copy the **Client ID**.

### Users and Group Assignment

After configuring each application, you must assign users or groups who are permitted to use it. Repeat this step for both the Web Application and Native Application.

1. In the **Okta Admin Console**, navigate to **Applications &gt; Applications**.
2. Select your application, and then open the **Assignments** tab.
3. Click **Assign**, then choose either of the following:

- **Assign to People** - Add individual users
- **Assign to Groups -** Add groups

4. Click **Done**.

### Additional Configuration for Org Authorization Server

You can choose to use either the Okta Org Authorization Server (default, non-customized) or a customized authorization server. If you are using the Okta Org Authorization Server (default, non-customized), enable the following settings to ensure compatibility with Discoverant authentication.

1. In your application, go to the **General** tab, and locate the **General Settings** section.
2. Click **Edit**, then navigate to **Advanced Settings** for **Grant type** and expand it.
3. Enable the following options:

- **Implicit (Hybrid)**
- **Allow ID Token with implicit grant type**

4. Click **Save**.

### Group Claims Configuration

To ensure that user group information is included in the ID token for Discoverant authorization, configure group claims as follows:

1. In the **Okta Admin Console**, navigate to **Applications &gt; Applications**.
2. Select your application, and then open the **Sign On** tab.
3. Expand **Show legacy configuration** under **Token claims**.
4. Click **Edit**.
5. Configure the **Group Claims** settings:

a. In the **Group claim type** field, select **Filter**.

b. In the **Group claim filter** section, choose one of the following options based on your requirement:

- **Matches regex** - to include groups using a regular expression pattern.
- **Starts with** - to include groups based on a naming prefix.

c. To include all groups, select **Matches regex** and enter: .\*

6. Click **Save** to apply the configuration.

### Configuration for Custom Authorization Server (Optional)

If you use a custom Authorization Server, additional configuration is required to include group claims.

### Access Authorization Server

1. In the **Okta Admin Console**, navigate to **Security &gt; API &gt; Authorization Servers**.
2. Perform one of the following actions:

- Select an existing Authorization Server, or
- Click **Add Authorization Server** to create a new one.

### Claims Configuration

1. Open the selected Authorization Server.
2. Navigate to the **Claims** tab.
3. Click **Add Claim**, and configure the following:

- **Name**: groups *(must be exactly "groups")*
- **Include in token type**: ID Token (Always)
- **Value type**: Groups

4. Under **Filter**, configure one of the following:

- Use an appropriate filter based on your group structure, or
- To include all groups, select **Matches regex** and enter: .\*

5. Under **Include in**, select **Any scope**.
6. Click **Create** to save the claim.

### Access Policy Configuration

1. Navigate to the **Access Policies** tab for the selected Authorization Server.
2. Create a policy if one does not already exist.
3. Under the policy, click **Add rule**.
4. Configure the rule with the following settings:

- **Authorization Code** should be selected for **Grant type**.
- **Client Credentials** and **Device Authorization** grant types should be unselected.

5. Configure additional settings (such as user conditions, scopes, and token lifetime) based on your organizational requirements.
6. Click **Create rule** to save the configuration.

### Additional Notes

- Any settings not explicitly mentioned in this document may be left as default or configured as needed.
- Ensure consistency between configured values and your Discoverant environment.

## How to contact BIOVIA Support

If you have any questions, please contact [BIOVIA Support](https://www.3ds.com/support/).

Need Assistance?

Our support team is here to help you make the most of our software. Whether you have a question, encounter an issue, or need guidance, we've got your back.

[Contact support](/support/contact-your-support-center)

[Submit a request via 3DSupport App](https://dspart004-eu1-partners-ifwe.3dexperience.3ds.com/#dashboard:0b021cdc-9e58-47c3-8527-3d2314c48683/tab:3DSupport)