Now Reading: Power Pages: Set up OKTA as an identity provider
-
01
Power Pages: Set up OKTA as an identity provider
If you have configured a Power Pages website, chances are that you will require external users to sign in to be able to access certain information. Things like their own support cases, invoices, etc. Along with page permissions, table permission, web roles, you also will need to decide and configure and identity provider to be able to determine that the person signing into the website is who they say they are.
Video version of this post:
No matter what authentication method is chosen, each logged in user will have a corresponding Dataverse contact record. This contact record is tied to web roles that will determine what access the user has within the website.
The contact record will also be linked to the identity provider that will facilitate the secure signing in to a website.
There are a couple of “out of the box” options that work without any extra configuration or setup; local authentication and Azure AD (Entra ID).
Local authentication
Local authentication essentially is your old school login and password. The password is stored as an encrypted column in the contact table. This isn’t quite the best option for storing passwords, and all the maintenance (account setups, password resets, etc) is managed 100% within Power Pages and the related tools. This particular option is NOT recommended for production websites.
Entra ID
Even though Azure AD has been renamed Entra ID, it still appears as Azure AD on Power Pages. Azure AD essentially allows a user that authenticated on the same tenant as the Power Pages website to authenticate to the Power Pages site. This is useful for websites dedicated to internal business needs, but not ideal for external users as they would need to be setup as guest users in your tenants Active Directory, I mean Entra ID directory… or whatever its called this week.
Indentity providers requiring configuration
Power Pages also supports a number of other identity providers (such as Azure B2C) and other social media accounts to authenticate. Each of these requires you to configure the setup to Power Pages.
OKTA
A non-Microsoft identity provider that is quite popular is OKTA. OKTA is an enterprise-grade, identity management service that allows people to be connected to devices and services (including Power Pages).
I recently needed to configure this for a project and found there wasn’t a lot of resources available on how to do this for Power Pages. To set expectations, I am NOT an OKTA expert (I am fortunate to have access to some talented folks on my project team).
The following is essentially the steps I used to setup and configure OKTA as the identity provider for Power Pages.
Setting up and OKTA account
You will first need to setup an OKTA account and setup an application.
Navigate to the OKTA website and select Free Trial.
Select the Customer Identity Cloud and choose Start Building
You will need to provide some basic information for your company to setup your OKTA admin account.
Setting up the Power Pages application in OKTA
Once your account is setup and you have access, then you need to setup a new application specifically for your Power Pages website.
From the Applications side tab, select Applications and then choose Create Application.
You will be presented with a series of options, I choose ASP.NET (OWIN).
In the next screen, go to the Settings tab. Leave this open as you will need to refer to this to copy a series of settings.
Configuring Power Pages identity provider
Open up your website in the Power Pages design studio.
- Select the Security workspace
- Select Identity providers
- Select New provider
In the Configure identity provider section;
- select Other as the login provider
- OpenID Connect as the protocol
- Change the provider name to OKTA.
In the next section, you will need to fill in values from the OKTA application settings:
| Setting | Value |
|---|---|
| Authority | Copy Domain setting from OKTA (make sure to add https://) |
| Client ID | Copy Client ID setting from OKTA |
| Redirect URL | We will need this value later |
| Metadata address | Copy the Domain setting from OKTA, add the https:// and add /.well-known/openid-configuration |
| Response type | Select code |
| Client secret | Copy Client Secret from OKTA |
Select Save
Copy the Redirect URL, as we need to update the OKTA application with that value.
Updating the OKTA application
Navigate back to the OKTA portal and the application configuration.
In the Allowed Callback URLs paste in the redirect URL from your Power Pages configuration.
Select Save Changes
Testing the authentication
On your Power Pages sign in page, you should see the option to sign in with OKTA under the Sign in with an external account section.
You should be presented with an OKTA login page. Note that you can configure the look and feel (and set your own icon) in the OKTA application settings. You can also setup a new OKTA account.
You will then be redirected back to the website. The user will need to enter their email address again to setup the newly created contact record to the OKTA account. This step is optional (configured using site settings) however, if an existing contact is invited, the emails will need to match.
The user will be redirected to the profile page to fill in the details.
The user can now access the Power Pages website using their OKTA credentials.
Set the default Identity provider
You can remove the whole selection of indentity provider by setting a specific provider as the default. If you have signed into another application or site using those credentials then you will be automatically logged in (Single sign on).
Onboarding existing users and invitations
You can pre-create the contacts in Dataverse and setup the external authentication provider if you have the contact data and the corresponding OKTA ids. Existing OKTA users will then have immediate access and can skip the whole invitation process. This will be the topic of a future blog post/video.
Or you can still use the Power Pages invitation functionality to onboard existing users. You will need to direct them (usually via email) to:
https://<<yourportalname>>.powerappsportals.com/Register?returnUrl=%2FSessions%2FThey can redeem their invitation and then will be automatically redirected to OKTA sign in page where they can sign in with an existing OKTA username or create a new one. Afterwards they will be redirected back to the profile page.
Summary
It is highly recommended to use an external identity provider for Power Pages user authentication. There are many options, both from Microsoft and other providers like OKTA.
If you have this as a customer requirement, I hope you find this post helpful.
Nick Doelman is a Microsoft MVP, podcaster, trainer, public speaker, competitive Powerlifter and is on summer vacation! Follow Nick on X at @readyxrm or LinkedIN. Listen or watch the the Power Platform Boost podcast with Nick and co-host Ulrikke Akerbæk every second week for news and updates from the Power Platform community.
Original Post https://readyxrm.blog/2024/07/25/power-pages-set-up-okta-as-an-identity-provider/
