Adding an Authentication "First Broker Login" Flow for SAML Provider

An Aerobase authentication flow should be created. It is to be used for the Single Sign On workflow with the OKTA identity provider.

To add an Authentication Flow, First Broker Login:

1. Access the Aerobase Admin page, using the URL http://[FQDN or IP]/auth/admin/kryon/console/#/realms/kryon

2. Go to Authentication (under Configure on the left pane)

3. Go to the Flow tab

4. On the right side of the page, click New

5. Create a flow with the name, First Broker Login

6. Click Save

7. Add a new flow named “User Creation Or Linking”

   1. Press the Add flow button on the right upper hand side of the screen
      

   2. Type the value “User Creation Or Linking” for Alias and click Save
      

   3. Assign requirement to REQUIRED
      

8. Add a new execution under flow “User Creation Or Linking”

   1. Navigate to the second step from the top (“User Creation Or Linking”) → Actions → Add Execution

   2. Set the value by Provider to Create User if Unique and click Save

   3. Assign the requirement to ALTERNATIVE

   4. By Actions, click Config, Create Authenticator Config opens
      

   5. Type the value "Create Unique User Config" for Alias and click Save
      

9. Add a new flow under flow “User Creation Or Linking”

   1. Navigate to the second step from the top (“User Creation Or Linking”) → Actions → Add Flow

   2. Type the value “Handle Existing Account 2” for Alias and click Save

   3. Assign the requirement to ALTERNATIVE

10. Add a new execution under the flow “Handle Existing Account 2”

    1. Navigate to the fourth step from the top (“Handle Existing Account 2”) → Actions → Add execution

    2. Set the value by Provider to Confirm Link Existing Account and click Save

    3. Assign the requirement to REQUIRED

11. Add a new flow under flow “Handle Existing Account 2"

    1. Navigate to the fourth step from the top (“Handle Existing Account 2”) → Actions → Add flow

    2. Type the value “Account Verification Options” for Alias and click Save

    3. Assign the requirement to REQUIRED

12. Add a new execution under flow “Account Verification Options”

    1. Navigate to the sixth step from the top (“Account Verification Options”) → Actions → Add execution

    2. Set the value by Provider to Verify Existing Account by Email and click Save

    3. Assign the requirement to ALTERNATIVE

13. Add a new flow under flow “Account Verification Options”

    1. Navigate to the sixth step from the top (“Account Verification Options”) → Actions → Add execution

    2. Type the value “Verify Exisiting Account by Re-authentication” for Alias and click Save

    3. Assign the requirement to ALTERNATIVE

14. Add a new execution under flow “Verify Existing Account By Re-authentication”

    1. Navigate to the eighth step from the top (“Verify Existing Account By Re-authentication”) → Actions → Add execution

    2. Set the value by Provider to Username Password Form for Identity Provider Re-authentication and click Save

    3. Assign the requirement to REQUIRED

15. Add a new flow under flow “Verify Existing Account By Re-authentication”

    1. Navigate to the eighth step from the top (“Verify Existing Account By Re-authentication”) → Actions → Add flow

    2. Type the value “First broker Login - Conditional OTP” for Alias and click Save

    3. Assign the requirement to CONDITIONAL

16. Add new execution under flow “First Broker Login - Conditional OTP”

    1. Navigate to the tenth step from the top (“First Broker Login - Conditional OTP”) → Actions → Add execution

    2. Set the value by Provider to Condition - User Configured and click Save

    3. Assign the requirement to REQUIRED

17. Add a second execution under flow “First Broker Login - Conditional OTP”

    1. Navigate to the tenth step from the top (“First Broker Login - Conditional OTP”) → Actions → Add execution

    2. Set the value by Provider to OTP Form and click Save

    3. Assign the requirement to REQUIRED

The Authentication Flow is now complete and should be defined as described below:

Linking the Authentication Flow to OKTA SAML

Once the authentication flow is defined as described above, it should be linked to the OKTA’s identity provider to complete the authentication: First Broker Login Flow.

To link the authentication flow the Okta's identity provider:

1. Go to Identity Providers (under Configure on the left pane)

2. In the Settings tab, under First Login Flow, select the new flow that was created, First Broker Login Flow