Okta Overview

MilMove has two domains set up with Okta - one that serves the testing applications and one that serves the production application.

Okta Testing Domain

https://test-milmove.okta.mil which serves the dev, exp, loadtest, demo, and stg environments.

Okta Production Domain

https://milmove.okta.mil which ONLY serves the prd environment.

In order for a customer, office, or admin user to log into MilMove, they MUST have an Okta account. If they do not have an Okta account, they will be denied access to the application and returned back to the /sign-in page and will not be allowed to access the MilMove application.

Getting an Okta account

Customers and Office/Admin users get Okta accounts in different ways. See below:

Customers

MilMove Customers can self-register. If they do not have an Okta account when creating a move, they can sign-up when MilMove sends them to Okta for authentication.

Office

MilMove Office users will not be able to self-register and will require an account to be created by an Okta Admin with a CSV file import by an Okta Admin. It is crucial to ensure that the office user's DoDID/EDIPI is accurate when being imported.

Admin

MilMove Admin users will not be able to self-register and will require an account to be created by an Okta Admin with a CSV file import or manual creation of the user by an Okta Admin. It is crucial to ensure that the office user's DoDID/EDIPI is accurate when being imported.

Authenticating with Okta

Customers and Office/Admin users have different authentication methods, meaning they can sign into Okta differently. See below:

Customers

MilMove Customers can sign in with two factors. Okta will allow for email, password, Okta Verify OTP or Push Notification, Google Authenticator, or they can sign in with their CAC but only if their profile contains their DoDID/EDIPI number.

Office

MilMove Office users will only be able to sign in with their Smart Card. This can be a CAC or PIV, but an Okta Admin will need to ensure that their DoDID/EDIPI number is up to date and accurate.

Admin

MilMove Office users will only be able to sign in with their Smart Card. This can be a CAC or PIV, but an Okta Admin will need to ensure that their DoDID/EDIPI number is up to date and accurate.

Okta Groups

When a user authenticates with Okta, there is an additional check that is done to allow access to an application. The user must be a part of the application's respective group in Okta. If the user is not a part of that group in Okta, then they will be denied access. When customers self-register they are automatically assigned to the respective Customer group, but Office & Admin users are assigned to their group during the CSV import. See the following groups in Okta and which applications they grant access to:

Okta groups matter

A user will not be allowed to access any Customer MilMove application if they are assigned to an Admin or Office group in Okta. In the rare case an office user will need to register as a customer, they will need to use a different email address and create a separate Okta account to access the Customer MilMove application.

Dev

https://test-milmove.okta.mil
'Dev - Customer' -> http://milmovelocal:3000
'Dev - Office' -> http://officelocal:3000
'Dev - Admin' -> http://adminlocal:3000

Exp

https://test-milmove.okta.mil
'Exp - Customer' -> https://my.exp.dp3.us/
'Exp - Office' -> https://office.exp.dp3.us/
'Exp - Admin' -> https://admin.exp.dp3.us/

Loadtest

https://test-milmove.okta.mil
'Exp - Customer' -> https://my.loadtest.dp3.us/
'Exp - Office' -> https://my.loadtest.dp3.us/
'Exp - Admin' -> https://my.loadtest.dp3.us/

Demo

https://test-milmove.okta.mil
'Exp - Customer' -> https://my.demo.dp3.us/
'Exp - Office' -> https://office.demo.dp3.us/
'Exp - Admin' -> https://admin.demo.dp3.us/

Staging

https://test-milmove.okta.mil
'Stage - Customer' -> https://my.stg.move.mil/
'Stage - Office' -> https://office.stg.move.mil/
'Stage - Admin' -> https://admin.stg.move.mil/

Prod

https://milmove.okta.mil
'MilMove - Customer' -> https://my.move.mil/
'MilMove - Office' -> https://office.move.mil/
'MilMove - Admin' -> https://admin.move.mil/

Successful Flow with Okta

A successful authentication with Okta for any user will look like this:

1. User goes to the MilMove application
2. User clicks the Accept Terms button and is directed to Okta to log in/register
3. If a customer, they sign in with their username in an email format and their two authenticating factors
   If an office/admin, they will click the Sign in with CAC/PIV box, select their certificate, and enter their PIN.
4. Okta will find the user based on their entered credentials
5. Okta will make sure that they are assigned to the group that allows access to the application they were directed from
6. If they are, they'll send them back to MilMove successfully where they can access the MilMove application

If there are any issues during these steps, you can find some troubleshooting help HERE