Developer forum

Forum » CMS - Standard features » Using Okta for backend authentication

Using Okta for backend authentication

Scott Forsyth Dynamicweb Employee
Scott Forsyth
Reply

Hello,

Is Okta confirmed as supported for logging into the backend? I can use it for frontend authentication, but when trying to use it for the backend, I get an error "Incorrect username or password". 

The steps that I've taken are:

  1. Log into the frontend so that the user is created and has an external login
  2. I can confirm that I can log in again multiple times with that user, to the frontend
  3. I edit the user and make it an adminstrator
  4. When logging into the backend, I receive the error "Incorrect username or password"

This is with the built-in Okta provider on 9.9.6.

Event viewer shows a warning message with:

  • Action: Authentication
  • Category: Security
  • Level: Warn
  • User Id: -1
  • User Name: System
  • Description: Login by {my okta account} failed - Auto login: False
  • Exception type and File log are empty

Replies

 
Nicolai Pedersen
Reply

Nope, that has not been confirmed. Will have it checked out...

 
Scott Forsyth Dynamicweb Employee
Scott Forsyth
Reply

Thanks!

 
Oleg Rodionov Dynamicweb Employee
Oleg Rodionov
Reply

Hi Scott,

I've tested the case on environment based on DW996 and was not able to catch the issue - proof. The results can be taken either with 'Add user to group' or 'User group from Okta' option in the provider settings. SSL connection is used (it's mandatory condition to use the provider on further releases).

BR, Oleg QA

 
Scott Forsyth Dynamicweb Employee
Scott Forsyth
Reply

Hi Oleg,

Thanks for looking into this, and it's encouraging to know that it should work.

I'm getting different results than you. Do you have any suggestions on what I can look next? Here's what I see: https://www.dropbox.com/s/yeghb5x0lgeog3a/OktaBackend.MP4?dl=0

Scott

 
Oleg Rodionov Dynamicweb Employee
Oleg Rodionov
Reply
This post has been marked as an answer

Hi Scott,

Thanks for specifying. I was able to dig more deep. The issue seems to be reproduced if user is initialy created using 'Create local account by showing the "Create new user" page' option in provider settings. I've created TFS 89836 to fix the bug. You can try to use other two options as workaround, I was not able to catch the bug using them.

BR, Oleg QA 

Votes for this answer: 1
 
Scott Forsyth Dynamicweb Employee
Scott Forsyth
Reply

Hi Oleg,

That sounds promising. I wasn't able to get it to work in my environment yet, but since you found something that is wrong, it sounds promising that there is a bug that will possibly fix this for me. I'll wait for that fix.

Thanks!

Scott

 

 
Alexey Tanchenko Dynamicweb Employee
Alexey Tanchenko
Reply

Hi Scott,

I cannot reproduce your problem on my solution. Steps described by Oleg looks more likely as a wrong use case, since he using the form which allow to change username and set password for user. But it must never be possible, since it break the major idea of external auth - username and some other data must always be retrieved from external resource.

I do not see in your video how the user has been created to make sure that you was not changed his login data during user creation.

In your current OKTA configuration I see that you use 'Create local account by showing the "Create new user" page' option which is referenced to the page which just says that user was not created. This option should be used when you need to redirect to a page where user fills in some additional data (not related to login data) and completes the creation. You probably should change it to 'Add user to groups' option instead.

Also, I cannot use my own OKTA account on your solution for tests since it looks like you have custom changes in the OKTA provider code. My acoount always fails with message "External login info object is null. Authentication failed.". It even do not try to redirect me to OKTA auth page.

 

You must be logged in to post in the forum