When OKTA ID SSO is enabled, Desktop, Web and iOS users will see an additional “Login with OKTA” button on the farmerswife login screens.
On clicking “Login with OKTA” , they will be redirected to OKTA to complete the authentication process (including MFA if configured), and then redirected back to farmerswife on success or failure.
Enhanced and robust security measures such as Multi-Factor Authentication (MFA) and session control can be enforced by OKTA settings
Note: The SSO supports authentication only, not user provisioning or authorisation.
All farmerswife users must have been pre-created in farmerswife before they can authenticate using OKTA.
For any questions related to OKTA configuration, we strongly recommend referring to their official documentation.
First, we will cover the configuration on OKTA, followed by the configuration of the farmerswife server to connect with OKTA, and some specific instructions needed for the farmerswife iOS app.
Note: If your system is cloud hosted the farmerswife support team will configure the steps on the farmerswife server in Step 2
- Step 1: Configure the Integration on the OKTA side
- Step 2: Configuring the farmerswife Server to use OKTA SSO
- Note: OKTA SSO for farmerswife iOS App users
Step 1: Configure the Integration on the OKTA side
To begin, you’ll need to create an application in Okta. This process is essential to establish a trust relationship between the Service Provider (farmerswife) and the Identity Provider (Okta).
For more detailed information, you can refer to the official Okta documentation:
https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm
In summary, the steps are:
- In the OKTA Admin Console, go to Applications > Applications.
- Click Create App Integration.
- Select OIDC - OpenID Connect as the sign-in method.
- Choose the type of app to integrate with Okta: Web Application
- Click Next
At this point, your OIDC application is created, but not yet fully configured.
You’ll need to provide a Sign-in redirect URL. This is the endpoint where Okta will send the authentication response and ID token (This will be the proof of you being authenticated) after a successful sign-in.
The URL must follow this format:
https://{{fw-server-app-URL}}:{ApiPort}/oidc/callback
Replace {{fw-server-app-URL}} with the URL of your actual Farmerswife environment. If your system is cloud hosted this will start with a http://api... format, please contact the support@farmerswife.com team to confirm this address.
- Click Save
Once the application is created, copy and securely store the following credentials from the OKTA Admin Panel:- Client ID
- Client Secret
Also, Copy and save the following Url's with the corresponding format based in your Okta account: - Issuer URL
https://<OKTA_DOMAIN>/oauth2/default - Auth URL
https://<OKTA_DOMAIN>/oauth2/default/v1/authorize - Token URL
https://<OKTA_DOMAIN>/oauth2/default/v1/authorize - UserInfo URL
https://<OKTA_DOMAIN>/oauth2/default/v1/authorize
- Access Policy for Authorization Server
If no access policy matches the incoming token request, the flow fails with an error such as no_matching_policy.
Okta does not issue tokens from an Authorization Server unless there is an explicit rule that authorizes the authentication flow and the requested scopes.
Without this rule, the authentication attempt from Farmerswife failed with the following error:
no_matching_policy
Context: default (Authorization Server)
This indicated that there was no policy matching the OIDC request.
To set up the access policy go to Security > API > Access Policies > Add New Access Policy > Add Rule
Rule configuration details
- Applies to: All clients (or the specific app if you prefer to restrict)
- Rule within the policy:
- Name: Allow all scopes
- Allowed Grant Types: Authorization Code, or more, depends on your implementation
- Users: All users
- Allowed scopes: All requested scopes (openid, profile, email, offline_access)
- Token lifetimes: Default values (e.g., 1 hour for access tokens)
If you need to troubleshoot or log in you can go to:
Reports > System Log
There you will be able to see the events from OKTA side, also provides you useful information, like Errors, Failed or Successful Logins:
Step 2: Enable farmerswife to use OKTA SSO
Option a) For farmerswife cloud-hosted systems
For farmerswife cloud-hosted systems, complete the necessary steps as outlined in Step 1 on your IdP.
Once done, send the information from the table below to your assigned farmerswife Product Specialist or support@farmerswife.com. This data will be used by our support team to configure your system, and we will let you know when this is configured
For self-hosted farmerswife systems, gather the information to complete the table to have on hand for the setup process.
Option b) For self hosted farmerswife systems
Pre-requisites for farmerswife
Your farmerswife system needs to be running on v6.8 Service Pack 1 (released 24th of August 2022).
- Domain Name
To enable this setup, the farmerswife Server application must be configured to use the optional server.cfg file (more info here).
In this configuration file, the HTTP_HOME setting should point to your qualified domain name:
HTTP_HOME https://owndomainname.com
Additionally, within the farmerswife Server application, navigate to Setup > General and ensure the URL To Server field is populated with the fully qualified domain name (FQDN).
Configure farmerswife to use Okta SSO – OpenID Connect
You MUST use the exact information as provided below. Any deviation may cause the authentication process to fail.
Reminder: The "OpenID Connect" functionality in farmerswife does not support "syncing" users from Okta to farmerswife. It's designed for existing Advanced Users or Web Users and Contact type Resources to be able to authenticate against Okta as the "OpenID Provider”, so the users must already exist to be able to authenticate.
- Open your running farmerswife Server application.
- Navigate to: Setup > General > Users tab > “OpenID Connect” section.
- Change Enabled to Yes and complete the fields as below , adding the OKTA information from the table
- Click OK, and exit the server setup to enable the service.
- Onboarding Okta users into farmerswife
The "OpenID Connect" functionality in farmerswife does not support "syncing" users from Okta to farmerswife. It's designed for existing Advanced Users or Web Users and Contact type Resources to be able to authenticate against Okta as the "OpenID Provider".
IMPORTANT:Due to OpenID/OKTA integration, in fw Client > Object Manager > Modify User window > The "Username" field must contain the "username=email" registered on OKTA for this user.
The "Email" field is NOT being used for Login and authentication, but the Username must match with the info in Email from Okta.
Also the farmerswife user's "Password" field is NOT used for the OKTA integration, but some random and IMPOSSIBLE to guess info, has to be entered in this field.
- Once the integration between Okta and farmerswife is set up, on the farmerswife Desktop Client, Web and MWC login screen, the user will now see a “Login with Okta” button.
OKTA login prompt will show up, requesting your username and password:
If the setup has been completed correctly, the redirect back to farmerswife will log directly into the desktop
You are in!
If you an error at this stage recheck all of the information added in the farmerswife Server Setup section, and the iDP settings are correct on the OKTA side.
Note: OKTA SSO for farmerswife iOS App users
On your iOS device go to Settings > farmerswife and here ONLY configure your "SERVER" connection details using Address and Port (the API Port value). Please contact support@farmerswife.com if you don’t know the connection details.
Keep the "Username" and "Password" fields empty
When you then launch the iOS FW App use the "Login with Okta" option:
- You will need to authenticate with your Okta credentials, and MFA as configured on Okta
- And then you will be asked to redirected to farmerswife
You will be requested to allow the site, press Permit
You are in!