Use the Okta identity hub to authenticate your users for the Gloo UI. Okta can be used to expose a consistent OpenID Connect interface to your apps while allowing your users to use credentials that are managed by Okta to authenticate with your app.

Before you begin

  1. Complete the get started guide to install Gloo Mesh Gateway.
  2. Optional: Review the information about how authentication and authorization work with the Gloo UI.

Step 1: Set up an Okta OIDC app

  1. Open the Okta dashboard. If you don’t have an Okta account that you can use, sign up for an Okta developer account.

  2. From the Applications menu, click Applications > Create New App. Note that you might see a Create App Integration button instead.

    Figure: Okta application dashboard
    Figure: Okta application dashboard
    Figure: Okta application dashboard
    Figure: Okta application dashboard
  3. Select OIDC - OpenID Connect as the sign-in method for your app and Web application as your application type. Then, click Next.

  4. Enter a name for your app and optionally upload a logo.

  5. Enter the redirect URL. The URL is composed of the local address of the Gloo UI http://localhost:8090 and the /oidc-callback path. Your composed redirect URL looks as follows http://localhost:8090/oidc-callback.

  6. From the Assignments section, select Allow everyone in your organization to access. This way, you do not need to asign a user or group to this app. Instead, you can use your Okta developer account credentials to test the Okta authentication flow.

  7. Click Save to save your changes. You are redirected to the Okta app details page.

  8. From the General tab on the Okta app details page, note the Client ID and the client Secret.

    Figure: Okta General tab
    Figure: Okta General tab
    Figure: Okta General tab
    Figure: Okta General tab
  9. Store the Client ID and Secret as environment variables.

      export CLIENT_ID=<client-id>
    export CLIENT_SECRET=<secret>
      
  10. From the Sign on tab in the OpenID Connect ID Token section, change the Issuer from Dynamic to the Okta URL. Your Okta URL typically includes your account ID and an okta.com extension, such as https://dev-12345678.okta.com.

    Figure: Okta General tab
    Figure: Okta General tab
  11. Store the issuer URL as an environment variable.

      export ISSUER_URL=<issuer-URL>
      

Step 2: Set up external auth for the Gloo UI

  1. Create a Kubernetes secret with the client secret from your Okta account. Note that the client secret value is base64-encoded.

      kubectl apply -f - <<EOF
    apiVersion: v1
    kind: Secret
    type: Opaque
    metadata:
      name: dashboard
      namespace: gloo-mesh
    data:
      oidc-client-secret: $(echo -n ${CLIENT_SECRET} | base64)
    EOF
      
  2. Create a Dashboard custom resource to configure the Gloo UI for external authentication with Okta.

      kubectl apply -f - <<EOF
    apiVersion: admin.gloo.solo.io/v2
    kind: Dashboard
    metadata:
      name: settings
      namespace: gloo-mesh
    spec:
      authn:
        oidc:
          appUrl: http://localhost:8090
          clientId: ${CLIENT_ID}
          clientSecretName: dashboard
          issuerUrl: ${ISSUER_URL}
    EOF
      
    SettingDescription
    clientIdEnter the client ID that was assigned to your Okta OIDC app. You can retrieve the client ID from the General tab of your Okta OIDC app.
    issuerUrlEnter the Okta issuer URL that you set up in the Okta app, such as https://dev-12345678.okta.com. You can retrieve the Okta issuer URL from the Issuer field on the Sign on tab of your Okta OIDC app.
    appUrlEnter the local address of the Gloo UI http://localhost:8090.

Step 3: Verify external auth with Okta

  1. Open the Gloo UI. Verify that you are redirected to the Gloo UI welcome screen.

      meshctl dashboard 
      
    Figure: Gloo UI welcome screen
    Figure: Gloo UI welcome screen
  2. Click SIGN INTO GLOO PLATFORM. You are redirected to the Okta login page.

    Figure: Okta login screen
    Figure: Okta login screen
  3. Enter your Okta username and password. If successfully authenticated, Okta issues an ID token and redirects you to the Gloo UI.

    Figure: Gloo UI dashboard
    Figure: Gloo UI dashboard
    Figure: Gloo UI dashboard
    Figure: Gloo UI dashboard

Cleanup

You can optionally remove the resources that you set up as part of this guide.

  1. Remove the OIDC authentication section from the dashboard resource.

      kubectl apply -f - <<EOF
    apiVersion: admin.gloo.solo.io/v2
    kind: Dashboard
    metadata:
      name: settings
      namespace: gloo-mesh
    EOF
      
  2. Remove the Kubernetes secret with your Okta OIDC credentials.

      kubectl delete secret dashboard -n gloo-mesh
      
  3. Remove your Okta OIDC app.

    1. Open the Okta dashboard and select Applications > Applications from the menu.
    2. Find your Okta OIDC app.
    3. Click the gear icon and from the drop down menu, select Deactivate.