SSO - Okta

Objective

This document provides instructions on how to configure Okta Single Sign-on (SSO) integration to Volterra for your enterprise account. For an overview of Volterra, see About Volterra.

Note: SSO setup requires you to be of the tenant owner type user. Navigate to General -> IAM -> Users. Click on the Show/hide column, select the Type field, and click Apply to display the Type column. For the tenant owner, the Type column displays Tenant Owner and others, it displays User.


Prerequisites

The following prerequisites apply:


Configuration Steps

Configuring SSO using Okta in VoltConsole includes performing the following actions:

  • Configure the OIDC authentication application in Okta
  • Enable SSO using Okta in VoltConsole

Configure OIDC Authentication Application in Okta

Configuring OIDC authentication application in Okta includes creating an identity provider type and an application for your SSO in Okta. Also, it requires whitelisting the redirect URI in your identity provider.

This example shows configuring Okta with Google as the identity provider.

Note: Creating OAuth credentials in Google is required for this step. For more information, see SSO-Google guide.

Perform the following actions to configure the OIDC app in Okta:

Step 1: Log into Okta and start new identity provider configuration.
  • Log in to the Okta portal with your administrator access. Click Admin.

okta home
Figure: Okta Login View

  • Click Security -> Identity Providers.

okta new identity
Figure: New Identity Creation

  • Click Add Google in the Add Identity Provider drop-down menu.

okta id providers
Figure: Select Google As the Identity Provider

Step 2: Obtain the OAuth information from the identity provider and add to the Okta identity provider configuration.
  • Obtain the OAuth details from the identity provider.
  • Add the details in the GENERAL SETTINGS of the Okta identity provider configuration. This example sets name, client ID, and client secret obtained from Google OAuth settings.

idp clid secret
Figure: Identity Provider Client and Secret Settings

  • Click Add Identity Provider and copy the URL in the Redirect URI field.

okta redir uri
Figure: Redirect URI from Identity Provider Creation

Step 3: Add the redirect URI to the white list of the identity provider OAuth client configuration.

This example shows adding redirect URI to the Google client ID configuration:

  • Log into your Google credentials app, navigate to client ID configuration, and enter the redirect URI obtained in previous step to the Authorized redirect URIs field.

google redir uris
Figure: Redirect URI Option in Google

g whitelist
Figure: Redirect URI Addition to Google

  • Click Save.
Step 4: Create application for SSO in Okta.
  • Click on the Applications tab in the Okta top menu and select Applications.
  • Click Add Application and in the applications screen, click Create New App.

okta new app
Figure: Create New Application

  • Select Web for the Platform field, select Open Id Connect for the Sign on method, and click Create.
  • Enter an application name, enter a URL in the Login redirect URIs field, and click Save. The application gets created.

okta oidc int
Figure: OIDC Integration Creation

  • Navigate to the General settings tab of created application and scroll down to the Client Credentials field. Note down the values of the Client ID and Client secret fields.

okta copy clid secr
Figure: Client ID and Secret Values

  • Obtain the well-known URL for your Okta account. The following is an example well-known URL for Okta where the vesvolterraus represents the subdomain part for a sample account.

https://vesvolterraus.okta.com/.well-known/openid-configuration

Note: The client ID, client secret, and well-known URL fields are required in SSO configuration in VoltConsole.

Step 5: Configure user and group settings in Okta.
  • Click Security -> Identity Providers and click the Routing Rules tab.
  • Click Add Routing Rule and configure rules for users. Select the identity provider you created in the THEN field. Click Create Rule.

okta user rules
Figure: Rule Creation

  • Optionally, specify users and groups for which Okta-based SSO needs to be enabled. Perform the following:

    • Click Applications -> Applications and click the settings icon for your application. Navigate to the Assignments tab of your application settings.

    assign ppl
    Figure: User Assignment

    • Click Assign -> Assign to People and add users for whom Okta SSO needs to be enabled.
    • Click Assign -> Assign to Groups and select the groups for whom Okta SSO needs to be enabled.

Enable SSO Using Okta in VoltConsole

Step 1: Start SSO setup in the VoltConsole.
  • Login to VoltConsole with admin credentials. Click General in the namespace selector and select Tenant Settings -> Login Options in the left configuration menu. Click Setup SSO.

sso nav
Figure: Volterra SSO Setup

  • Select Okta in the Choose Service screen and click Continue.
Step 2: Configure clients identity.

In the Create Clients ID screen, configure client ID and client secret.

volt setup sso 1
Figure: Volterra SSO Create Clients ID

  • Enter the client ID and secret obtained in Step 4 of the Configure OIDC Authentication Application in Okta chapter in the Client ID and Client Secret fields respectively.
  • Enter the well-known URL obtained in Step 4 of the Configure OIDC Authentication Application in Okta chapter in the Import from well-known URL field.

okta wk import
Figure: Volterra SSO Well-known URL Import

  • Click Import. The fields such as Authorization URL and Token URL get populated.
  • Click Continue.
Step 3: Copy the redirect URL.

Copy the displayed values of the Redirect URL field in the Redirect URI screen. This is used in next step. Click Done.

Step 4: Add the redirect URL in the Okta application settings.
  • Log into Okta and navigate to the General tab of your application settings. Click Edit.

    okta app gen settings
    Figure: Okta Application General Settings

  • Navigate to LOGIN section in and enter the redirect URL copied in previous step to the Login redirect URIs field.
  • Add the value of the call back url to the Initiate login URI field. You can obtain this from the settings of your identity provider by navigating to Security->Identity Providers.
  • Save the settings.

Note: The field Logout redirect URIs gets automatically populated.

Step 5: Complete the SSO Setup.

Log out of the VoltConsole. The subsequent logins get serviced through Okta.


Concepts


API References