Tags: security, keycloak, okta, idp, sso, auth
TABLE OF CONTENTS
Overview
This article describes configuration of Okta as an identity provider for Kublr control plane.
Pre-requisites
- Deployed Kublr Control Plane
- An Okta account with administrative credentials
Preparation
- Pick a name for Kublr KCP Identity Broker within Okta.
We will use "Kublr KCP" in this article, but you can choose a different name.
If you have several Kublr control plane installations for which you want to setup SSO via Okta, different names will need to be used. - Pick an alias and optionally a display name for Okta IdP within Kublr KCP identity provider.
We will refer to it as {okta-idp-alias} in this document.
oktaoidc alias will be used in the screenshots in this document. - Make sure that you have Kublr KCP base URL configured and accessible from your local machine.
The hostname of the KCP base URL will be used in this document and will be referred to as {kcp-hostname}.
So for example if your KCP is running on https://my-kcp.my-org.com URL, then your {kcp-hostname} will be my-kcp.my-org.com - Make sure that you have your organization Okta base URL configured and accessible from your local machine.
The hostname of the Okta base URL will be used in this document and will be referred to as {okta-hostname}.
So for example if your Okta base URL is https://my-org.okta.com, then your {okta-hostname} will be my-org.okta.com
Basic configuration
1. Login to Okta as administrator and create a new Okta OIDC Web Application:
2. Configure Application parameters:
- App integration name: use the human readable name identifying Kublr KCP within Okta, e.g. Kublr KCP
The name may be changed later. - Sign-in redirect URL:
https://{kcp-hostname}/auth/realms/kublr-ui/broker/{okta-idp-alias}/endpoint - Sign-out redirect:
https://{kcp-hostname}/auth/realms/kublr-ui/broker/{okta-idp-alias}/endpoint/logout_response - Controlled access:
configure as required, e.g. Allow everyone in your organization to access
3. After the application is created, note Okta OIDC Client ID and Secret
They will be referred below as {okta-client-id} and {octa-client-secret}
4. Login to Kublr KCP Identity Broker and create a new OIDC Identity Provider
5. Specify the identity provider parameters
Most of the parameters may be imported from Okta OIDC well known provider discovery endpoint:
https://{okta-hostname}/oauth2/default/.well-known/openid-configuration?client_id={okta-client-id}
Enter the URL in the "Import from URL" field and click "Import" button.
The following fields will not be imported automatically and will have to be entered manually:
- Alias - enter {okta-alias} picked in the beginning, for example "oktaoidc"
- Client Authentication - select "Client secret sent as post"
- Client ID and Client Secret - enter values from the Okta application
- Default Scopes - enter "openid profile email"
6. Save the Identity Provider and test Kublr Okta login and logout.
Kublr Login page should show the additional provider.
Optional additional configuration
Configure Okta Initiated Login
Okta Initiated Login enables logging into Kublr KCP from Okta applications dashboard.
Edit Kublr KCP Application in Okta:
- Enable Implicit grant type for ID token
- Select Either Okta or App in Login Initiated field
- Select Display application icon to users in Application visibility field
- Select Redirect to app to initiate login (OIDC Compliant) in Login flow field
- Enter the URL below in the Initiate login URI field:
https://{kcp-hostname}/auth/realms/kublr-ui/protocol/openid-connect/auth?client_id=kublr-ui&redirect_uri=https%3A%2F%2F{kcp-hostname}%2Fui%2F&response_type=code&kc_idp_hint={okta-idp-alias}
Set Okta IdP as default
Setting Okta IdP as default will hide Kublr standard login form and will automatically redirect to Okta for login.
The process of setting an identity provider as a default login method is described in Keycloak documentation in the "Default Identity Provider" section.
1. Login to Keycloak admin panel
2. Click Authentication in the menu.
3. Click the Browser flow.
4. Click the gear icon ⚙️ or "Action > Config" menu on the Identity Provider Redirector row.
5. Set Default Identity Provider to the identity provider you want to redirect users to.
Note that after you do this, Kublr login screen will not be displayed any more, so if you still need to see it, follow this article.
Customizing account linking flow
When an external IdP is used, by default Keycloak registers users logging in via that IdP as its internal users linked with the IdP accounts. On first login an account will be created or linked to an existing one.
Sometimes the default first login linking flow is too strict, and you want to unconditionally link an external IdP account to an existing account based on e.g. login.
Use the following procedure to achieve that.
1. Login to Keycloak admin panel
2. Click Authentication in the menu
3. Select First Broker Login flow
4. Click Copy button
5. Name the copy of the flow First Broker Login Alt or any other meaningful name
6. Select the copied flow
7. On the Handle Existing Account row select Action > Delete menu
8. On the User Creation or Linking row click Action > Add Execution menu and select Automatically Set Existing User type of action; click Save
9. On the new Automatically Set Existing User row select ALTERNATIVE
The result should look as follows:
10. Select Identity Providers menu
11. Select the Okta identity provider
12. Change the login flow in the First Login Flow parameter the the newly create First Broker Login Alt flow
13. Click Save