SSO Using Okta ENTERPRISE
This page explains how to configure Okta and then configure Styra.
Okta Configuration
To prepare Okta for signing on to <das-id>.styra.com:
-
Login to Okta.
-
On the admin dashboard, click Add Applications and select Create New App.
-
Enter the following details in the form and then click Create.
-
Platform: Select Web.
-
Sign on method: Select OpenID Connect.
-
-
Enter the following details in the next form and then click Save.
-
Application name: Styra (or anything you prefer).
-
Application logo: Upload one.
-
Login redirect URIs:
https://<das-id>.styra.com/v1/oauth2/callback. -
Logout redirect URIs: None.
-
-
The next form shows the settings you have created.
-
On the General tab, which shows the configuration values and the
Allowed Grant Types, ensure Authorization Code is checked, and Refresh Token, Implicit (Hybrid) are both unchecked. -
On the General tab, record both values for both Client ID and Client Secret. These values will be used when you configure the settings on
<das-id>.styra.com.
-
-
Select the Sign On tab to record the value for Issuer. The value is an URL. These values will be used when you configure the settings on
<das-id>.styra.com. -
Now, select the Assignments tab to identify the people entitled to access
styra.com. -
Click Assign, select Assign to People.
-
Click Assign and Save to go back to the selected people.
-
When all the users are assigned, click Done.
Styra Configuration
After you configure Okta, you must configure <das-id>.styra.com.
-
Login to
<das-id>.styra.comwith your username and password. -
Go to your Workspace, click Access Control >> Single Sign-On Providers and then click OpenID Connect >> + Add OpenID Connect Provider.
-
Enter the following details in the form.
-
Provider name: The name for your identity provider setting. For example,
Corporate Okta. This name will be visible for the users on the login page. -
Issuer URL: Copy the Issuer value recorded in Step 5. If you are using custom claims (such as groups), then ensure that the
/oauth2/defaultpath is specified for the Issuer URL. -
Client ID: Copy the Client ID value recorded in Step 4.
-
Client Secret: Copy the Client Secret value recorded in Step 4.
-
Allowed Domains: Type the allowed authentication domain(s) of your users. For example,
retail.acme.com. If the identity provider supports multiple domains, only users with these domains are allowed to access the service. -
Invited users only:
-
If enabled, the authenticated user must have a pre-existing account in the service.
-
If disabled, a new user account will be created just-in-time for any authenticated user, as long as the user's domain matches one of the allowed domains (and the identity provider has assigned this user to the Styra application).
-
-
Enabled: Set it to
TRUE.
-
-
If you have selected just-in-time provisioning for the users, then you can now logout from
<das-id>.styra.comand sign-in again through Okta. Okta is now displayed on the<das-id>.styra.comlogin screen above the username and password.
Invite Users to Styra (Optional)
If you configured <das-id>.styra.com to allow only invited users to login to the service, then you must create users on <das-id>.styra.com. You can add or invite users through the following options:
- Using the CLI.
- Using the GUI.
- Any client calling the Styra CLI API.
Allow Okta Initiated Login
The Okta initiated login avoids users to start at <das-id>.styra.com and get directed to Okta.
To allow Okta initiated login, update the Okta application configuration for Styra as follows:
-
Allow Implicit (Hybrid) grant type, with either of the token types (id or access) turned on.
-
Set login initiated by either Okta or App.
-
Set the login flow to be the OpenID Connect (OIDC compliant redirect flow).
-
Set the initiate login URI to
https://<das-id>.styra.com/v1/login/Okta?redirect_url=https://<das-id>.styra.comand replaceOktawith the provider name you used above while configuring Okta to<das-id>.styra.com.
Finally, the users can login from Okta to <das-id>.styra.com.