External auth with Okta

Use the Okta identity hub to authenticate your users for the Gloo UI. Okta can be used to expose a consistent OpenID Connect interface to your apps while allowing your users to use credentials that are managed by Okta to authenticate with your app.

Before you begin

  1. Complete the getting started guide to install Gloo Gateway, Istio, and Bookinfo in your cluster.
  2. Optional: Review the information about how authentication and authorization work with the Gloo UI.

Step 1: Expose the Gloo UI

  1. Follow the steps in the HTTPS listener guide to create a virtual gateway with an HTTPS listener. When you set environment variables at the beginning of the guide, set $DNS_NAME to * and $SERVER_CERT_NAME to vg-gloo-ui. Make sure that you deploy the virtual gateway to the gloo-mesh-gateways namespace. Your virtual gateway looks similar to the following:

    kubectl apply -f- <<EOF
    apiVersion: networking.gloo.solo.io/v2
    kind: VirtualGateway
      name: vg-gloo-ui
      namespace: gloo-mesh-gateways
      - allowedRouteTables:
        - host: '*'
        http: {}
          number: 443
          mode: SIMPLE
          secretName: gw-ssl-1-secret
      - allowedRouteTables:
        - host: '*'
        http: {}
        httpsRedirect: true
          number: 80
      - selector:
            istio: ingressgateway
          cluster: $CLUSTER_NAME
  2. Create a route table to route incoming traffic on the ingress gateway to the Gloo UI.

    kubectl apply -f- <<EOF
    apiVersion: networking.gloo.solo.io/v2
    kind: RouteTable
      name: gloo-ui-rt
      namespace: gloo-mesh-gateways  
        kind: SERVICE
          number: 8090
          name: gloo-mesh-ui
          namespace: gloo-mesh
      - '*'
      - forwardTo: {}
        - uri:
            prefix: /
        name: gloo-mesh-ui
      - name: istio-ingressgateway
  3. Get the external address of the ingress gateway and save it as an environment variable.

    export INGRESS_GW_IP=$(kubectl get svc -n gloo-mesh-gateways istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
    echo $INGRESS_GW_IP
    export INGRESS_GW_IP=$(kubectl get svc -n gloo-mesh-gateways istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
    echo $INGRESS_GW_IP

  4. In your web browser, enter the IP address that was assigned to your ingress gateway, followed by a /, such as Verify that the Gloo UI opens.

    open https://$INGRESS_GW_IP/

Step 2: Set up an Okta OIDC app

  1. Open the Okta dashboard. If you don't have an Okta account that you can use, sign up for an Okta developer account.
  2. From the Applications menu, click Applications > Create New App. Note that you might see a Create App Integration button instead. Okta application dashboard
  3. Select OIDC - OpenID Connect as the sign-in method for your app and Web application as your application type. Then, click Next.
  4. Enter a name for your app and optionally upload a logo.
  5. Enter the sign-in redirect URL. The URL is composed of the external address of the ingress gateway that you created for the Gloo UI earlier (the value of $INGRESS_GW_IP) and the /oidc-callback path. For example, your URL might be
  6. From the Assignments section, select Allow everyone in your organization to access. This way, you do not need to asign a user or group to this app. Instead, you can use your Okta developer account credentials to test the Okta authentication flow.
  7. Click Save to save your changes. You are redirected to the Okta app details page.
  8. From the General tab on the Okta app details page, note the Client ID and the client Secret. Okta General tab
  9. From the Sign on tab in the OpenID Connect ID Token section, change the Issuer from Dynamic to the Okta URL. Your Okta URL typically includes your account ID and an okta.com extension, such as https://dev-12345678.okta.com. Okta General tab

Step 3: Set up external auth for the Gloo UI

  1. Follow the steps to get your current Helm values.

  2. To configure your Gloo UI with the Okta OIDC provider, add the following Helm values to your Gloo Platform Helm values file.

      enabled: true
        enabled: true
        backend: oidc
          clientId: "<client-ID>"
          clientSecret: "<client-secret>"
          clientSecretName: dashboard
          issuerUrl: '<issuer-URL>'
          appUrl: '<app-URL>'
    Setting Description
    clientId Enter the client ID that was assigned to your Okta OIDC app. You can retrieve the client ID from the General tab of your Okta OIDC app.
    clientSecret Enter the client secret value that was created for your Okta OIDC app. You can retrieve the client secret from the General tab of your Okta OIDC app.
    clientSecretName Enter a name for the Kubernetes secret that is automatically created for you and stores the clientSecret. In this example, the Kubernetes secret is named dashboard.
    issuerUrl Enter the Okta issuer URL that you set up in the Okta app, such as https://dev-12345678.okta.com. You can retrieve the Okta issue URL from the Issuer field on the Sign on tab of your Okta OIDC app.
    appUrl Enter the public address that was assigned to your ingress gateway. For example, your app URL might look similar to the following
  3. Follow the steps to upgrade and verify your Helm installation.

  4. Verify that a dashboard custom resource is created for you and that the Okta settings, such as the client ID, issuer URL, and app URL are correct.

    kubectl get dashboard settings -n gloo-mesh -o yaml
  5. Verify that a Kubernetes secret was created with the name that you specified in the clientSecretName of your Helm chart. In your secret, make sure the you see oidc-client-secret data.

    kubectl describe secret dashboard -n gloo-mesh 

Step 4: Verify external auth with Okta

  1. In your browser, open the app URL that you entered in your Helm chart. For example, the URL might be Make sure that you see the Gloo UI welcome screen.

    Gloo UI welcome screen

  2. Click SIGN INTO GLOO PLATFORM. You are redirected to the Okta login page.

    Okta login screen

  3. Enter your Okta username and password. If successfully authenticated, Okta issues an ID token and redirects you to the Gloo UI.

    Gloo UI dashboard


You can optionally remove the resources that you set up as part of this guide.

  1. Delete the virtual gateway, secret, and route table that you create to expose the Gloo UI.

    kubectl delete vg vg-gloo-ui -n gloo-mesh-gateways
    kubectl delete secret gw-ssl-1-secret -n gloo-mesh-gateways
    kubectl delete rt gloo-ui-rt -n gloo-mesh-gateways
  2. Follow Step 3: Set up external auth for the Gloo UI to upgrade your Gloo Platform installation. In your Helm values file, remove the glooUi.auth section.

  3. Remove your Okta OIDC app.

    1. Open the Okta dashboard and select Applications > Applications from the menu.
    2. Find your Okta OIDC app.
    3. Click the gear icon and from the drop down menu, select Deactivate.