Adding docs for how to configure Okta for the OIDC provider (#235)
* Adding documentation for Okta OIDC provider. * additional clean up. * Clearer heading * Forgot a word. * updated documentation based on ReillyProcentive review. * Per steakunderscore review: removed defaults. Removed extra hardening steps (expiration, https only etc) not directly related to setting up Okta w/ OIDC
This commit is contained in:
parent
64672c34eb
commit
d85660248c
@ -146,6 +146,56 @@ OpenID Connect is a spec for OAUTH 2.0 + identity that is implemented by many ma
|
|||||||
-cookie-secure=false
|
-cookie-secure=false
|
||||||
-email-domain example.com
|
-email-domain example.com
|
||||||
|
|
||||||
|
The OpenID Connect Provider (OIDC) can also be used to connect to other Identity Providers such as Okta. To configure the OIDC provider for Okta, perform
|
||||||
|
the following steps:
|
||||||
|
|
||||||
|
#### Configuring the OIDC Provider with Okta
|
||||||
|
|
||||||
|
1. Log in to Okta using an administrative account. It is suggested you try this in preview first, `example.oktapreview.com`
|
||||||
|
2. (OPTIONAL) If you want to configure authorization scopes and claims to be passed on to multiple applications,
|
||||||
|
you may wish to configure an authorization server for each application. Otherwise, the provided `default` will work.
|
||||||
|
* Navigate to **Security** then select **API**
|
||||||
|
* Click **Add Authorization Server**, if this option is not available you may require an additional license for a custom authorization server.
|
||||||
|
* Fill out the **Name** with something to describe the application you are protecting. e.g. 'Example App'.
|
||||||
|
* For **Audience**, pick the URL of the application you wish to protect: https://example.corp.com
|
||||||
|
* Fill out a **Description**
|
||||||
|
* Add any **Access Policies** you wish to configure to limit application access.
|
||||||
|
* The default settings will work for other options.
|
||||||
|
[See Okta documentation for more information on Authorization Servers](https://developer.okta.com/docs/guides/customize-authz-server/overview/)
|
||||||
|
3. Navigate to **Applications** then select **Add Application**.
|
||||||
|
* Select **Web** for the **Platform** setting.
|
||||||
|
* Select **OpenID Connect** and click **Create**
|
||||||
|
* Pick an **Application Name** such as `Example App`.
|
||||||
|
* Set the **Login redirect URI** to `https://example.corp.com`.
|
||||||
|
* Under **General** set the **Allowed grant types** to `Authorization Code` and `Refresh Token`.
|
||||||
|
* Leave the rest as default, taking note of the `Client ID` and `Client Secret`.
|
||||||
|
* Under **Assignments** select the users or groups you wish to access your application.
|
||||||
|
4. Create a configuration file like the following:
|
||||||
|
|
||||||
|
```
|
||||||
|
provider = "oidc"
|
||||||
|
redirect_url = "https://example.corp.com"
|
||||||
|
oidc_issuer_url = "https://corp.okta.com/oauth2/abCd1234"
|
||||||
|
upstreams = [
|
||||||
|
"https://example.corp.com"
|
||||||
|
]
|
||||||
|
email_domains = [
|
||||||
|
"corp.com"
|
||||||
|
]
|
||||||
|
client_id = "XXXXX"
|
||||||
|
client_secret = "YYYYY"
|
||||||
|
pass_access_token = true
|
||||||
|
cookie_secret = "ZZZZZ"
|
||||||
|
skip_provider_button = true
|
||||||
|
```
|
||||||
|
|
||||||
|
The `oidc_issuer_url` is based on URL from your **Authorization Server**'s **Issuer** field in step 2, or simply https://corp.okta.com
|
||||||
|
The `client_id` and `client_secret` are configured in the application settings.
|
||||||
|
Generate a unique `client_secret` to encrypt the cookie.
|
||||||
|
|
||||||
|
Then you can start the oauth2_proxy with `./oauth2_proxy -config /etc/example.cfg`
|
||||||
|
|
||||||
|
|
||||||
### login.gov Provider
|
### login.gov Provider
|
||||||
|
|
||||||
login.gov is an OIDC provider for the US Government.
|
login.gov is an OIDC provider for the US Government.
|
||||||
|
Loading…
Reference in New Issue
Block a user