Skip to content

Okta

Okta is most easily integrated via OpenID Connect. Okta doesn't include groups as a claim in the id_token, you need to get it from the user_info endpoint. You'll need:

  1. client secret
  2. client id
  3. issuer

This guide will take you step-by-step through configuring Okta and OpenUnison to enable SSO for your cluster.

Configuring Okta

First, login to your Okta dashboard and click on SSO Apps:

Okta Main Page

Next, click on Create Application:

Okta Applications

The screen will grey-out with a "popup" asking you what kind of application you want to create. Choose OIDC - OpenID Connect for Sign-in method and Web Application for Application type:

Okta New Application

The next screen will let you name your application and provide a logo. It will also ask for the callback URL for OpenUnison. This step is used to ensure that no one tries to force Okta to redirect your authentication to an attacker. The URL will be the value of https://network.openunison_host/auth/oidc, where network.openunison_host comes from your values.yaml. Since our demo network.openunison_host is k8sou.apps.ou.tremolo.dev, the Sign-in redirect URIs is https://k8sou.apps.ou.tremolo.dev/auth/oidc. At the bottom of the form you can specify which groups have access to this application. For simplicty we specified Allow everyone in your organization to access:

Okta Application Configuration

Once you click Save, you'll be brought to the final application configuration screen which will have the data you need to configure OpenUnison. There's one last step though, Okta needs to be configured to send groups to OpenUnison so they can be used in RoleBinding and ClusterRolebinding objects in your cluster. On this screen, click on Sign On (it's on the top of the screen), then in the bottom box click Edit next to the OpenID Connect ID Token header. Next to Groups claims filter change the dropdown that says Starts With to Matches regex and put .* in the text box next to it. Click Save to finish the configuration. This will send all groups the user is a member of in your Okta domain to OpenUnison. You can come back and configure this later to limit groups that are related to your Kubernetes clusters.

Okta Application Configuration

With groups configured, you can click on the General tab near the top and finish the OpenUnison configuration.

Configuring OpenUnison

In Okta, navigate to your application if you aren't already there. You can get the data you need from the screen:

OpenUnison Field Configuration Type Okta Section Okta Field
oidc.client_id helm values.yaml Client Credentials Client ID
oidc.issuer helm values.yaml General Settings Okta Domain
OIDC_CLIENT_SECRET orchestra-secrets-source Secret Client Credentials Client secret

Okta Application

The above diagram highlights where to get this information from. Use your Okta Domain in the URL for your issuer (don't forget the https://!).

oidc:
  client_id: XXXXXXXXXX
  issuer: https://yyyyyy.okta.com/
  user_in_idtoken: false
  domain: ""
  scopes: openid email profile groups
  claims:
    sub: sub
    email: email
    given_name: given_name
    family_name: family_name
    display_name: name
    groups: groups

Finally, store the client secret in a file and complete the portal deployment.

Manual Deployment

If using a manual deployment, update the orchestra-secrets-source with your OIDC_CLIENT_SECRET and updated the oidc section of your values.yaml, you can continue with the Deploy the Portal step.

Namespace as a Service

The Namespace as a Service portal supports looking up groups in Okta when working with external group management.

Other Resources

See our blog post on Okta and Kubernetes integration.