Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry Enterprise ID
  3. BlackBerry Enterprise Identity Administration Guide
  4. Using authenticator level ranking and authentication policies to manage security
  5. Allowing users to authenticate with Okta
  6. Create an Okta app

Create an
Okta
 app

Your
Okta
 instance must have a connection to
Microsoft Active Directory
, and your users must be imported into
Okta
. For instructions see, ad-agent-main.htm
  1. Log in to the
    Okta
     administration console.
  2. Create a security token.
    1. Click
      Security
       >
      API
       >
      Tokens
      .
    2. Click
      Create Token
      .
    3. Copy the token.
  3. Generate JWKS keys.
    2. Click the
      EC
       tab.
    3. In the
      Curve
       drop-down list, select
      P-521
      .
    4. In the
      Algorithm
       drop-down list, select
      ES521: ECDSA using P-521 and SHA-512
      .
    5. In the
      Key ID
       drop-down list, select
      SHA-256
      .
    6. Copy the Public and Private Keypair, Keypair Set, and Public Key.
      In the Public and Private Keypair Set, you must remove the
      "d":
       attribute because it is a private key.
  4. In a command prompt, use a CURL request to register an OIDC app with
    Okta
     and update the following fields in the JSON. Creating this type of app is not currently supported in the
    Okta
     console.
    • Verify that the Authorization SSWS value is the token that you created in step 2.
    • Replace the jwks keys with the keys from step 3.
    • Verify that the "d;" attribute has been removed.
    Your entry should be similar to the following.
    curl --request POST 'https://
    <oktaDomain>
    .okta.com/api/v1/apps/' \
--header 'Authorization: SSWS <token>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "name": "oidc_client",
    "label": "BlackBerry Enterprise ID Client",
    "signOnMode": "OPENID_CONNECT",
    "credentials": {
        "oauthClient": {
            "token_endpoint_auth_method": "private_key_jwt"
        }
    },
    "settings": {
        "oauthClient": {
            "redirect_uris": [
                "https://idp.blackberry.com/idp/externalIdpCb"
            ],
            "response_types": [
                "code"
            ],
            "grant_types": [
                "authorization_code"
            ],
            "application_type": "native",
            "jwks": {
                "keys": [
                    {
                        "kty": "EC",
                        "alg": "P-521",
                        "kid": "OJE1cjnUBHGXHtOiHc64gSO1xxNzhoe9sRorb2CCKgU",
                        "x": "AV4Ljfyl2eCoP1oyO_U3047BTprKxuwlUm57p7FsQJFMtW
                         1Xks7j8IQe4H0S8tNpd21Q_2NcKiJg5gjWKs0H3Oh6",
                        "y": "AIWYPJ-c1UWEWQXO4Zkl3TKCPxCiAqv7ju_vJsO0Jye7zC
                         1SzqAFbfIzCRRq_MJJJfmw2ZbfgtvHmG28avR1O287",
                        "alg": "ES512"
                    }
                ]
            }
        }
    }
}'
    For information about the JSON specification, see .
  5. View your app in the
    Okta
     console and copy the
    Client ID
    .
  6. Assign the app to users. For instructions, see lcm-user-app-assign.htm.
  7. To set up
    Okta
     ID claims, go to
    Security
     >
    API
     >
    Authorization server
     and select your authorization server.
  8. On the
    Claims
     tab, click
    Add claims
     and add a claim with the following values:
    1. Name
      : object_guid
    2. Include in token type
      : ID Token, Always
    3. Value type
      : Expression
    4. Value
      : findDirectoryUser().externalId
  9. Click
    Create
    .