MärtenH.64512 (Customer) asked a question.
Hi,
I'm having issues with setting up an API connector to connect Okta workflows to Sailpoint's IdentityNow. IDN supports multiple oath methods and seemingly it should fit with what Workflows supports as well.
After setting up the api token in IDN, with the redirect URI specified here: https://help.okta.com/wf/en-us/Content/Topics/Workflows/function-reference/HTTP/http_authorization.htm and filling in the oauth info, I'm been unable to process any further. If I click on "Create" , it opens a separate window that authenticates to IDN and then redirects to Workflows where I get a 404 not found response.
I can't really tell what's going wrong since I don't have much visibility into what Workflows is attempting to do.
Any idea what I might be doing wrong?
Take a look at the following article:
https://support.okta.com/help/s/article/How-to-Authenticate-with-HTTP-Cards-Okta-Workflows?language=en_US
Also note. Workflows only supports Authorization Code Flow. If it is another grant type you would need to leverage "no auth" and have to build out the entire logic.
Additionally, your mention of "Token" makes me think you are not trying to implement Oauth. A link to their auth documentation would be quite helpful.
Yep, I've followed that exact guide while trying to set this up.
Apologies for the confusion re API token - I meant setting up an API client. This is the documentation on IDN's side - https://developer.sailpoint.com/docs/authentication.html#oauth-2-0. Authorization Code is supported.
I can use no auth but I would prefer to keep the auth logic outside of a workflow if at all possible.
I eventually managed to get an "invalid scopes" error (only visible in the url) by hitting the Create button a multitude of times. Replaced scopes with sp:scopes:all and now I simply get a "Failed to create a connection" after the pop-up window disappears.
So the key point in the linked article is the following. Those should be used as-is for the redirect URI (Depending on prod/preview org).
Redirect URIs to connect to Okta Workflows Preview and Prod respectively: https://oauth.workflows.oktapreview.com/oauth/httpfunctions/cb and https://oauth.workflows.okta.com/oauth/httpfunctions/cb.
The rest of the information should be derived from the vendor. For example the following link shows you where to get your authorize / token endpoints.
https://developer.sailpoint.com/docs/authentication.html
All that is left at that point is the client id/secret & scopes.
Based on this:
Looks like "all" is the scope I would see if I could get working.
I set up another API client with the same settings as the previous one, same redirect URI and all - except I _only_ included AUTHORIZATION_CODE grant_type, previously I had included them all when testing.
Not sure if that's what was going wrong last time but now it works.
Thanks for the help and thinking along