This tutorial demonstrates how to integrate Criipto Verify with Okta. The following steps are required to complete your first login:
In the following you will be configuring first Criipto Verify, then Okta. Once configured you may test that everything works from Okta.
The setup requires a bit of switching back-and-forth between Criipto and Okta's respective management dashboards, so we recommend that you have them open simultaneously to make the process really smooth.
Before you get started, you will need the following information:
https://your-company-name.okta.com/oauth2/v1/authorize/callback, but check your Okta settings to make sure. We have used
criipto-samplesas a replacement for
your-company-namein this tutorial.
post_logout_redirect_urlfor your Okta tenant.
First, you must register your Okta tenant as an application in Criipto Verify.
Once you register your Okta tenant, you will also need some of the information for configuring Okta to communicate with Criipto Verify. You get these details from the settings of the application in the dashboard.
Specifically you need the following information to integrate with Okta:
If you plan on using single-signon, you must also register your Okta
post_logout_redirect_url here so you can run single-logouts.
If you are registering a new application, you must first save the configuration.
Once you have a saved application registration you may configure the OAuth2 code flow.
Open the application registration and configure it for the right OAuth2 flow:
plainJsonto enable retrieval of plain JSON user information from the
Note that this is the only time you will be shown the actual value of the client secret. Criipto only stores this as a hashed value, which means you cannot retrieve the value once it has been generated and stored.
Some libraries do not support the final
userinfo request. In those cases you will need to fetch the user data directly from the
token endpoint as opposed to the
userinfo endpoint. Do this by choosing the appropriate option as shown below.
You may configure Criipto Verify to retrieve the user information from either the
userinfo endpoint - the default option - or you may explicitly choose the
fromTokenEndpoint in the user info response strategy instead:
Make sure you are in
Classic UI mode, and click on the
Security -> Identity Providers item.
and click on the
Add Identity Provider button, select
OIDC for protocol.
Add OpenID Connect IdP
Fill in the form with values for you Criipto Verify application, similar to the following example
Given the values above, and assuming that your Criipto Verify domain is
acme-corp.criipto.id you must add
urn:criipto:verify(if you have set a different value in your Criipto Verify
Client ID/Realm, use that value instead here - they must match)
OAuth code flowsetup
The Name is entirely up to you, and you don't have to specify the optional Userinfo endpoint if you at the same time ensure that you configure your Criipto Verify application to use
fromTokenEndpoint in the
User info response strategy dropdown.
This setup assumes you are looking to authenticate your users with
basic mode. If you have other needs, replace the value of the
acr_values parametery in the Authorization endpoint, or set up several Identity Providers in your Okta tenant - see below for a list of all supported values.
Criipto Verify supports a range of country and bank specific e-ID services. They are all accessed through the same endpoints, e.g.
To pick the login method you must set the
acr_values parameter on the authentication request in order to choose the type of authentication you want. How you set this query string parameter varies with programming platform and your OpenID Connect library of choice.
The current list of possible values is:
|Mobile or Web (user choice):|
|Norwegian Vipps Login|
|Login with Vipps app:|
|All options (user chooses):|
|Another device (aka mobile):|
|Personal with code card:|
|Employee with code card:|
|Employee with code file:|
|Mobile certificate (Mobiilivarmenne):|
|Both of the above:|
|Sofort (with Schufa check)|
You can find more details here
Almost all e-ID types have a notion of test users and real users.
Real users are real people logging in to a web site, thus voluntering their real name and typically also a social security number, SSN.
Test users are either created by you for the occasion, or we provide you with access to already created test users.
You may ready more in the section on e-IDs
How to integrate your application with Okta depends on the technology you are working with. Refer to the Okta developer documentation for more details.