SAS Viya Workbench requires an OpenID Connect compliant Identity Provider to authenticate users.

This article shows how to create an Okta App registration, and how to configure SAS Viya Workbench to use it.

The steps below can be performed after the tasks described in Starting with SAS Viya Workbench are completed, and an Administrator can access the SAS Viya Workbench Organization Administration page.

1) Configure a Domain

• Let's start the configuration by adding a domain. This is needed so that users can be directed to the Identity Provider that will be configured based on their email address.
• In the SAS Viya Workbench Organization Administration page, click New Domain.

• Add a domain for your organization so that SAS Viya Workbench can properly direct users to your Identity Provider based on the user's email address.

• Click OK.

2) Create an App.

• Log into the Okta portal as an Admin and create the application.
  • For more information, please see here: https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm
• Make sure you select OIDC - OpenID Connect as the Sign-in method and Web Application as the Application type.
• Provide the required details such as the app integration name and the app assignments (to control who will be able to use it).
  • Don't worry about configuring the redirect URIs for now - this will be done later.

3) Start creating the SSO connection.

• In the SAS Viya Workbench Organization Administration page, switch to the Authentication tab and click New SSO Connection.

4) Give the connection a meaningful name.

5) Configure credentials

• Client Id.

Okta Console	Workbench Organization Admin
Navigate to your App -> General -> Client Credentials and copy the Client ID value.	Paste it under Credentials -> Client id in the SAS Viya Workbench SSO connection configuration.

• Client Secret.

Okta Console	Workbench Organization Admin
Navigate to your App -> General -> CLIENT SECRETS. Generate a new secret if needed. Copy the secret's value.	Paste it under Credentials -> Client secret in the SAS Viya Workbench SSO connection configuration.

5) Configure the App for authentication.

• Go back to the SAS Viya Workbench SSO connection configuration page and click the copy button for the Login redirect URI:

• In the Okta Console, navigate to your App -> General Settings, and click Edit.

• Scroll down to LOGIN -> Sign-in redirect URIs, click + Add URI and paste the Redirect URI you copied above.

• Scroll down to Sign-out redirect URIs, click + Add URI.
• Paste the Redirect URI you copied above and append /logout_response to it.

• Save the changes.

6) Import the App configuration.

• Click Import from URL next to Configuration in the SAS Viya Workbench SSO connection configuration.

• Provide the OpenID Connect metadata document URL.

Okta	Workbench Organization Admin
Find your OpenID Connect Metadata URL.	Paste the URL and click Import.
This is typically  https://{yourOktaOrg}/.well-known/openid-configuration?client_id={your app client id}   For more information, please see here: https://developer.okta.com/docs/concepts/auth-servers/#discovery-endpoints-org-authorization-servers

• The OpenID Configuration should be populated based on the URL you provided.

• Scroll down towards the end of the JSON, and add the following config: "defaultScope":"openid profile email". Don't forget the comma before as this must be valid JSON.

7) Save the configuration.

• This is what your New SSO Connection dialog should look like. Click OK.

8 )Login as an Idp user.

• Logoff as the Organization Administrator user: Click the top right icon and then Sign out.
• Login as a user that exists in the App registration tenant.
• You will be redirected to Okta for authentication (if you are not already authenticated).
• The user will be presented the SAS Viya Workbench home page. This indicates a successful login.

That's it. Now users can start Using SAS Viya Workbench.