Overview

ePass Montana will be decomissioned on June 30, 2022.

What level of effort can agencies expect for implementing Okta?

As you work to implement Login.mt.gov (Okta), it is important that the developers are familiar with SAML authentication.  If your application is using a SAML solution (either a COTS product or ePass Montana), you should expect to spend approximately fifteen (15) hours of development work to implement Okta in an application.  Agencies should follow standard regression testing for verifying internal and external authentication after the implementation work has been completed.


ePass Montana to Okta Migration Best Practices

This guide is intended for individuals responsible for maintaining or configuring Service Provider applications to aid in migrating from ePass Montana to Okta in a way that preserves as much user access and history as possible. Every Service Provider application is different and for that reason this guide focuses on strategy and Okta-specific configuration examples. If it is not necessary to maintain any information from ePass Montana and users can just use their new Okta accounts, it is not necessary to use the strategies in this document.


Developers

A good starting place is https://developer.okta.com. There you can find Okta's documentation as well as sign up for a free developer account that will give you a sandbox for experimenting with the Okta platform.

Another great source of information can be found on the IT Pro Page: IT Pro Page - Okta Information

The two primary authentication protocols available for your applications are OpenID Connect (OAuth) and SAML. For new application development, we recommend using OpenID Connect. You can find the well-known endpoints for the Okta OpenID Connect/OAuth authorization server at https://developer.okta.com/docs/reference/api/oidc/

We will have a ServiceNow form that the agency will fill out for an application registration into the Okta environments. We intend for SITSD to do the initial app registration and then delegate the "Application Administrator" role to the agency for any additional configuration changes and maintenance.

Public users will have an Okta account. They will login to this account using either Okta credentials (UserID and password) or a third-party social identity provider (e.g. Facebook, Google, Microsoft). State employees and contractors will use their Active Directory credentials to login to the Okta environment and applications.

Interface Requirements

Login-Example

The below code snippets rely on Bootstrap 4:

HTML

Login-HTML

CSS
        #okta-login a {
            color: #0090cb;
        }
        #okta-login a:hover {
            color: #0077B2;
        }
        #okta-login.login-wrapper {
            width: 300px;
            margin: 30px auto;
            text-align: center;
        }
        #okta-login .logo {
            width: 150px;
        }
        #okta-login {
            background-color: #3A5C81;
            border: solid 1px #14365B;
        }
        #okta-login .btn-danger {
            background: #7b1212;
            border: 1px solid #620000;
        }
        #okta-login .btn-danger:hover {
            background: #620000;
        }
Vertical Centering

When using Bootstrap 4, one of the ways this can be achieved by adding the below CSS to the body tag.

        html, body {
            height: 100%;
        }
        body {
            display: -ms-flexbox;
            display: flex;
            -ms-flex-align: center;
            align-items: center;
            padding: 30px 0;
        }
Alternate Display

Another display option would be to put the logo on a button that matches your application colors, like the below examples:

Custom Button HTML