External auth with Okta

Use the Okta identity hub to authenticate your users for the Gloo UI. Okta can be used to expose a consistent OpenID Connect interface to your apps while allowing your users to use credentials that are managed by Okta to authenticate with your app.

Before you begin

1. Complete the getting started guide to install Gloo Gateway, Istio, and Bookinfo in your cluster.
2. Optional: Review the information about how authentication and authorization work with the Gloo UI.

Step 1: Expose the Gloo UI

1. Follow the steps in the HTTPS listener guide to create a virtual gateway with an HTTPS listener. When you set environment variables at the beginning of the guide, set $DNS_NAME to * and $SERVER_CERT_NAME to vg-gloo-ui. Make sure that you deploy the virtual gateway to the gloo-mesh-gateways namespace. Your virtual gateway looks similar to the following:

   kubectl apply -f- <<EOF
   apiVersion: networking.gloo.solo.io/v2
   kind: VirtualGateway
   metadata:
     name: vg-gloo-ui
     namespace: gloo-mesh-gateways
   spec:
     listeners:
     - allowedRouteTables:
       - host: '*'
       http: {}
       port:
         number: 443
       tls:
         mode: SIMPLE
         secretName: gw-ssl-1-secret
     - allowedRouteTables:
       - host: '*'
       http: {}
       httpsRedirect: true
       port:
         number: 80
     workloads:
     - selector:
         labels:
           istio: ingressgateway
         cluster: $CLUSTER_NAME
   EOF
   

2. Create a route table to route incoming traffic on the ingress gateway to the Gloo UI.

   kubectl apply -f- <<EOF
   apiVersion: networking.gloo.solo.io/v2
   kind: RouteTable
   metadata:
     name: gloo-ui-rt
     namespace: gloo-mesh-gateways  
   spec:
     defaultDestination:
       kind: SERVICE
       port:
         number: 8090
       ref:
         name: gloo-mesh-ui
         namespace: gloo-mesh
     hosts:
     - '*'
     http:
     - forwardTo: {}
       matchers:
       - uri:
           prefix: /
       name: gloo-mesh-ui
     virtualGateways:
     - name: istio-ingressgateway
   EOF
   

3. Get the external address of the ingress gateway and save it as an environment variable.

   • LoadBalancer IP address
   • EKS: LoadBalancer hostname

   export INGRESS_GW_IP=$(kubectl get svc -n gloo-mesh-gateways istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
   echo $INGRESS_GW_IP
   

   export INGRESS_GW_IP=$(kubectl get svc -n gloo-mesh-gateways istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
   echo $INGRESS_GW_IP
   

4. In your web browser, enter the IP address that was assigned to your ingress gateway, followed by a /, such as https://35.145.23.156/. Verify that the Gloo UI opens.

   open https://$INGRESS_GW_IP/
   

Step 2: Set up an Okta OIDC app

1. Open the Okta dashboard. If you don't have an Okta account that you can use, sign up for an Okta developer account.
2. From the Applications menu, click Applications > Create New App. Note that you might see a Create App Integration button instead.
3. Select OIDC - OpenID Connect as the sign-in method for your app and Web application as your application type. Then, click Next.
4. Enter a name for your app and optionally upload a logo.
5. Enter the sign-in redirect URL. The URL is composed of the external address of the ingress gateway that you created for the Gloo UI earlier (the value of $INGRESS_GW_IP) and the /oidc-callback path. For example, your URL might be https://35.145.23.156/oidc-callback.
6. From the Assignments section, select Allow everyone in your organization to access. This way, you do not need to asign a user or group to this app. Instead, you can use your Okta developer account credentials to test the Okta authentication flow.
7. Click Save to save your changes. You are redirected to the Okta app details page.
8. From the General tab on the Okta app details page, note the Client ID and the client Secret.
9. From the Sign on tab in the OpenID Connect ID Token section, change the Issuer from Dynamic to the Okta URL. Your Okta URL typically includes your account ID and an okta.com extension, such as https://dev-12345678.okta.com.

Step 3: Set up external auth for the Gloo UI

1. Follow the steps to get your current Helm values.

2. To configure your Gloo UI with the Okta OIDC provider, add the following Helm values to your Gloo Platform Helm values file.

   glooUi:
     enabled: true
     auth:
       enabled: true
       backend: oidc
       oidc:
         clientId: "<client-ID>"
         clientSecret: "<client-secret>"
         clientSecretName: dashboard
         issuerUrl: '<issuer-URL>'
         appUrl: '<app-URL>'
   

   Setting	Description
   clientId	Enter the client ID that was assigned to your Okta OIDC app. You can retrieve the client ID from the General tab of your Okta OIDC app.
   clientSecret	Enter the client secret value that was created for your Okta OIDC app. You can retrieve the client secret from the General tab of your Okta OIDC app.
   clientSecretName	Enter a name for the Kubernetes secret that is automatically created for you and stores the clientSecret. In this example, the Kubernetes secret is named dashboard.
   issuerUrl	Enter the Okta issuer URL that you set up in the Okta app, such as https://dev-12345678.okta.com. You can retrieve the Okta issue URL from the Issuer field on the Sign on tab of your Okta OIDC app.
   appUrl	Enter the public address that was assigned to your ingress gateway. For example, your app URL might look similar to the following https://35.145.23.156.

3. Follow the steps to upgrade and verify your Helm installation.

4. Verify that a dashboard custom resource is created for you and that the Okta settings, such as the client ID, issuer URL, and app URL are correct.

   kubectl get dashboard settings -n gloo-mesh -o yaml
   

5. Verify that a Kubernetes secret was created with the name that you specified in the clientSecretName of your Helm chart. In your secret, make sure the you see oidc-client-secret data.

   kubectl describe secret dashboard -n gloo-mesh 
   

Step 4: Verify external auth with Okta

1. In your browser, open the app URL that you entered in your Helm chart. For example, the URL might be https://35.145.23.156. Make sure that you see the Gloo UI welcome screen.

   

2. Click SIGN INTO GLOO PLATFORM. You are redirected to the Okta login page.

   

3. Enter your Okta username and password. If successfully authenticated, Okta issues an ID token and redirects you to the Gloo UI.

   

Cleanup

You can optionally remove the resources that you set up as part of this guide.

1. Delete the virtual gateway, secret, and route table that you create to expose the Gloo UI.

   kubectl delete vg vg-gloo-ui -n gloo-mesh-gateways
   kubectl delete secret gw-ssl-1-secret -n gloo-mesh-gateways
   kubectl delete rt gloo-ui-rt -n gloo-mesh-gateways
   

2. Follow Step 3: Set up external auth for the Gloo UI to upgrade your Gloo Platform installation. In your Helm values file, remove the glooUi.auth section.

3. Remove your Okta OIDC app.

   1. Open the Okta dashboard and select Applications > Applications from the menu.
   2. Find your Okta OIDC app.
   3. Click the gear icon and from the drop down menu, select Deactivate.