Tags: security, keycloak, okta, idp, sso, auth


TABLE OF CONTENTS


Overview


This article describes configuration of Okta as an identity provider for Kublr control plane.


Pre-requisites


  1. Deployed Kublr Control Plane
  2. An Okta account with administrative credentials


Preparation


  1. Pick a name for Kublr KCP Identity Broker within Okta.
    We will use "Kublr KCP" in this article, but you can choose a different name.
    If you have several Kublr control plane installations for which you want to setup SSO via Okta, different names will need to be used.
  2. Pick an alias and optionally a display name for Okta IdP within Kublr KCP identity provider.
    We will refer to it as {okta-idp-alias} in this document.
    oktaoidc alias will be used in the screenshots in this document.
  3. Make sure that you have Kublr KCP base URL configured and accessible from your local machine.
    The hostname of the KCP base URL will be used in this document and will be referred to as {kcp-hostname}.
    So for example if your KCP is running on https://my-kcp.my-org.com URL, then your {kcp-hostname} will be my-kcp.my-org.com
  4. Make sure that you have your organization Okta base URL configured and accessible from your local machine.
    The hostname of the Okta base URL will be used in this document and will be referred to as {okta-hostname}.
    So for example if your Okta base URL is https://my-org.okta.com, then your {okta-hostname} will be my-org.okta.com


Basic configuration


1. Login to Okta as administrator and create a new Okta OIDC Web Application:




2. Configure Application parameters:

  • App integration name: use the human readable name identifying Kublr KCP within Okta, e.g. Kublr KCP
    The name may be changed later.
  • Sign-in redirect URL:
    https://{kcp-hostname}/auth/realms/kublr-ui/broker/{okta-idp-alias}/endpoint
  • Sign-out redirect:
    https://{kcp-hostname}/auth/realms/kublr-ui/broker/{okta-idp-alias}/endpoint/logout_response
  • Controlled access:
    configure as required, e.g. Allow everyone in your organization to access



3. After the application is created, note Okta OIDC Client ID and Secret

They will be referred below as {okta-client-id} and {octa-client-secret}



4. Login to Kublr KCP Identity Broker and create a new OIDC Identity Provider



5. Specify the identity provider parameters


Most of the parameters may be imported from Okta OIDC well known provider discovery endpoint:

https://{okta-hostname}/oauth2/default/.well-known/openid-configuration?client_id={okta-client-id}

Enter the URL in the "Import from URL" field and click "Import" button.


The following fields will not be imported automatically and will have to be entered manually:

  • Alias - enter {okta-alias} picked in the beginning, for example "oktaoidc"
  • Client Authentication - select "Client secret sent as post"
  • Client ID and Client Secret - enter values from the Okta application
  • Default Scopes - enter "openid profile email"



6. Save the Identity Provider and test Kublr Okta login and logout.

Kublr Login page should show the additional provider.



Configure Okta Initiated Login


Edit Kublr KCP Application in Okta:

  • Enable Implicit grant type for ID token
  • Select Either Okta or App in Login Initiated field
  • Select Display application icon to users in Application visibility field
  • Select Redirect to app to initiate login (OIDC Compliant) in Login flow field
  • Enter the URL below in the Initiate login URI field:
    https://{kcp-hostname}/auth/realms/kublr-ui/protocol/openid-connect/auth?client_id=kublr-ui&redirect_uri=https%3A%2F%2F{kcp-hostname}%2Fui%2F&response_type=code&kc_idp_hint={okta-idp-alias}