SSO Using Okta ENTERPRISE
This page explains how to configure Okta and then configure Styra.
Okta Configuration
To prepare Okta for signing on to <das-id>.styra.com
:
Login to Okta.
On the admin dashboard, click Add Applications and select Create New App.
Enter the following details in the form and then click Create.
Platform: Select Web.
Sign on method: Select OpenID Connect.
Enter the following details in the next form and then click Save.
Application name: Styra (or anything you prefer).
Application logo: Upload one.
Login redirect URIs:
https://<das-id>.styra.com/v1/oauth2/callback
.Logout redirect URIs: None.
The next form shows the settings you have created.
On the General tab, which shows the configuration values and the
Allowed Grant Types
, ensure Authorization Code is checked, and Refresh Token, Implicit (Hybrid) are both unchecked.On the General tab, record both values for both Client ID and Client Secret. These values will be used when you configure the settings on
<das-id>.styra.com
.
Select the Sign On tab to record the value for Issuer. The value is an URL. These values will be used when you configure the settings on
<das-id>.styra.com
.Now, select the Assignments tab to identify the people entitled to access
styra.com
.Click Assign, select Assign to People.
Click Assign and Save to go back to the selected people.
When all the users are assigned, click Done.
Styra Configuration
After you configure Okta, you must configure <das-id>.styra.com
.
Login to
<das-id>.styra.com
with your username and password.Go to your Workspace, click Access Control >> Single Sign-On Providers and then click OpenID Connect >> + Add OpenID Connect Provider.
Enter the following details in the form.
Provider name: The name for your identity provider setting. For example,
Corporate Okta
. This name will be visible for the users on the login page.Issuer URL: Copy the Issuer value recorded in Step 5. If you are using custom claims (such as groups), then ensure that the
/oauth2/default
path is specified for the Issuer URL.Client ID: Copy the Client ID value recorded in Step 4.
Client Secret: Copy the Client Secret value recorded in Step 4.
Allowed Domains: Type the allowed authentication domain(s) of your users. For example,
retail.acme.com
. If the identity provider supports multiple domains, only users with these domains are allowed to access the service.Invited users only:
If enabled, the authenticated user must have a pre-existing account in the service.
If disabled, a new user account will be created just-in-time for any authenticated user, as long as the user's domain matches one of the allowed domains (and the identity provider has assigned this user to the Styra application).
Enabled: Set it to
TRUE
.
If you have selected just-in-time provisioning for the users, then you can now logout from
<das-id>.styra.com
and sign-in again through Okta. Okta is now displayed on the<das-id>.styra.com
login screen above the username and password.
Invite Users to Styra (Optional)
If you configured <das-id>.styra.com
to allow only invited users to login to the service, then you must create users on <das-id>.styra.com
. You can add or invite users through the following options:
- Using the CLI.
- Using the GUI.
- Any client calling the Styra CLI API.
Allow Okta Initiated Login
The Okta initiated login avoids users to start at <das-id>.styra.com
and get directed to Okta.
To allow Okta initiated login, update the Okta application configuration for Styra as follows:
Allow Implicit (Hybrid) grant type, with either of the token types (id or access) turned on.
Set login initiated by either Okta or App.
Set the login flow to be the OpenID Connect (OIDC compliant redirect flow).
Set the initiate login URI to
https://<das-id>.styra.com/v1/login/Okta?redirect_url=https://<das-id>.styra.com
and replaceOkta
with the provider name you used above while configuring Okta to<das-id>.styra.com
.
Finally, the users can login from Okta
to <das-id>.styra.com
.