Okta Authentication allows for user authentication for your apps. It is similar to using an OpenID provider but allows for Okta-specific features such as group controls to be used. For example, you may want to limit access to certain apps to the Sales Team and others to the Support Team. Using Okta as an authentication source allows this.

To setup authentication there are three steps: setting up an Okta application, configuring AppSheet to allow Okta, and finally using Okta to login.

Step 1: Create an Okta Application

First, create a Single Sign-On application for AppSheet inside the Okta console.

  • In the Application tab, click the "Add Application" button

  • Select the application type as "Web"

  • Set the Callback URLs to be 'https://www.appsheet.com/Account/ELC' and 'http://localhost:53519/Account/ELC'. 

  • Be sure to copy these exactly, capitalization is important. Also, please note that the second callback URL, with the localhost, is not strictly required, it would only be necessary if you requested us to debug your application at some point in the future.

  • Optionally, add user groups that you would like AppSheet to have access to

  • Click Done to save

In the end it should look similar to what is below with a different Client ID and secret

For more details on what each field means visit Okta's Setting up an auth-code application.

To allow for Okta-specific API calls, such as listing groups we'll need an API token. In Okta console, go to API tab and click the "Add Token" button. Follow the prompts and make sure to save your token somewhere because it will only be shown once. In the end you should have it listed similar to the screenshot below:

Without Providing an API Token

Providing an API Token simplifies the process by allowing group listings but it is optional. If you'd rather not provide it there are two possible workarounds:

  1. Configure Okta to allow for Group Claims. See Okta's article on how to Create a Groups Claim for Okta Mastered Groups. When configuring AppSheet, leave the "API Token" field empty when creating an authentication domain and manually type in the case-sensitive "Authentication Group" in the app editor.

  2. Create a separate Okta application with only access to specific group(s). In AppSheet, create a separate authentication domain for each Okta application. Leave the "API Token" field empty. In the app editor, specify the "Authentication Domain" corresponding to the desired group and leave the "Authentication Group" field empty in the app editor so it defaults to "Everyone".

Step 2: Configuring AppSheet

Add Okta as an Auth Provider.

  • Ensure your account has the Business plan so that you can use the "Company Domain Authorization" feature

  • Under the Integrations > Auth Domain tab click the "Add Auth Domain" button

  • Select Okta from the list

Fill out the form which requires four fields:

  • Client ID, Client Secret: from the Okta application settings

  • Domain: from the Okta console. It should look like https://dev-12345.okta.com

  • API Token: the token generated from the Okta API tab

Click "Authorize Access" and Okta should be added to the list of authentication domains and you now have the option to add it to your apps.

Visit the apps that you wish to add domain authentication to and visit the Security > Domain Authentication. Select your newly created Okta domain as the "Authentication domain source". Select "Default" as the "Authentication domain" and the "Authentication group" groups you setup in Okta should show up in the dropdown (or a text input if you didn't provide an API token). Select what group you want to give access to. In the screenshot above only the Sales Team will have access to the App. Click save.

It is important to note that, due to caching, adding or removing a new member from an Okta group takes up to 15 minutes to take effect.

Step 3: Login using an Okta Group

Test the app, for example using the Users > Links and copy-pasting that link. You should see Okta as one of the login options.

That's it! You should be able to login as a member of the specified group.

Did this answer your question?