Skip to main content

Authorization

Follow this guide to create a new Archibus (Eptura) credential that will allow Nexla to authenticate to and exchange data with your Archibus Web Central instance.
archibus_api_auth.png

Archibus (Eptura)

Prerequisites

The Archibus (Eptura) connector authenticates to the Archibus Web Central REST API using a 2-legged OAuth 2.0 Client Credentials flow brokered by an external OpenID Connect (OIDC) identity provider — typically Okta or Microsoft Azure. Archibus Web Central does not issue its own API tokens; instead, it verifies signed JWT access tokens issued by your configured identity provider.

Before creating a credential in Nexla, complete the following setup steps on the Archibus and identity provider sides.

Archibus Web Central Configuration

Archibus Web Central must be configured to trust your OIDC identity provider before the REST API will accept access tokens.

  1. Log in to the Archibus Web Central server as an administrator with access to the configuration files.

  2. Open the /WEB-INF/config/oidc.properties file in your Web Central deployment.

  3. Populate the following properties using values from your identity provider:

    • oidc.audience: The audience claim that your identity provider issues for the Archibus application (e.g., the Authorization Server audience configured in Okta).

    • oidc.issuer: The issuer URL of your OIDC identity provider (e.g., https://yourorg.okta.com/oauth2/default).

    • oidc.jwksUrl: The URL of the identity provider's JSON Web Key Set, which Web Central uses to validate token signatures.

    • oidc.username.claim: The claim Web Central will use to map the token to an Archibus user (defaults to sub).

  4. Restart Web Central so the new OIDC configuration takes effect.

    Archibus Web Central does not accept unsigned tokens. Tokens must be signed with a key published in the configured JWKS endpoint and must include valid sub, iss, aud, and exp claims. For complete information, see the Archibus documentation on configuring Web Central to use the Okta Identity Provider.

Identity Provider (Okta) Configuration

The following steps describe how to create a Service App in Okta that will issue access tokens to Nexla. The general flow is similar for other OIDC providers such as Microsoft Azure.

  1. Sign in to the Okta Admin Console using an account with administrative privileges.

  2. Navigate to Applications > Applications, and click Create App Integration.

  3. Select API Services as the sign-in method, and click Next.

  4. Enter a descriptive name for the application (e.g., "Nexla – Archibus Integration"), and click Save.

  5. On the General tab of the new application, locate the Client Credentials section, and copy the Client ID and Client Secret values. These will be used in Nexla.

    Important

    Copy the Client Secret immediately and store it securely. Depending on your Okta configuration, the secret may not be retrievable after the application is first created.

  6. Confirm that the Client authentication setting is set to Client secret so that the application can use the OAuth 2.0 Client Credentials flow.

  7. Open the Okta API Scopes tab (or your custom Authorization Server in Security > API) and grant the scope that your Archibus deployment expects (commonly archibus). The scope value must match the value configured in your Archibus oidc.properties file.

  8. From your Okta Authorization Server, note the Token URL (e.g., https://yourorg.okta.com/oauth2/default/v1/token). This will be entered into Nexla as the OAuth2 Token URL.

    Additional details about creating a service application and configuring scopes are available in the Okta documentation for implementing OAuth for Okta with a service app.

Archibus Web Central Base URL

The base URL of your Archibus Web Central instance is required so that Nexla can compose REST API requests. The base URL follows the pattern https://<host>/<context>, where <context> is typically archibus for on-premises installs and may differ for SaaS deployments.

  • Confirm the base URL with your Archibus administrator (e.g., https://archibus.yourcompany.com/archibus). Do not include a trailing slash.

Create an Archibus (Eptura) Credential

  • To create a new Archibus (Eptura) credential, after selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.

Credential Name & Description

  1. Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.

    Resource descriptions are recommended but are not required. They should be used to provide information about the resource purpose, data freshness, etc. that can help the owner and other users efficiently understand and utilize the resource.

Archibus Connection Settings

  1. Enter the base URL of your Archibus Web Central instance in the Web Central Base URL field (e.g., https://archibus.yourcompany.com/archibus). This URL is the root of all REST API calls Nexla will make to your Archibus deployment.

  2. Enter the OAuth 2.0 token endpoint of your identity provider in the OAuth2 Token URL field (e.g., https://yourorg.okta.com/oauth2/default/v1/token). Nexla will exchange the client credentials for an access token at this endpoint before each call (or on token refresh).

  3. Enter the Client ID value copied from your Okta service application in the Client ID field.

  4. Enter the Client Secret value copied from your Okta service application in the Client Secret field. This value is encrypted at rest in Nexla.

    The Client Secret is treated as sensitive credential material. Rotate the secret in your identity provider on the cadence required by your organization's security policies, and update the corresponding Nexla credential whenever it is rotated.

  5. Enter the OAuth 2.0 scope(s) required by your Archibus deployment in the OAuth2 Scopes field as a space-separated list. The default value is archibus, which matches the scope name commonly created in Okta. Adjust this value to match the exact scope(s) configured in your authorization server.

Save the Credential

  1. Once all of the relevant steps in the above sections have been completed, click the Save button at the bottom of the overlay to save the configured credential. Nexla will perform a test request against the Archibus Web Central API to verify that the credential is configured correctly.

  2. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation and can be selected for use with a new data source or destination.