External auth with Okta
Set up external authentication for the Gloo UI with the Okta OIDC provider.
Use the Okta identity hub to authenticate your users for the Gloo UI. Okta can be used to expose a consistent OpenID Connect interface to your apps while allowing your users to use credentials that are managed by Okta to authenticate with your app.
Before you begin
- Complete the guide to install Gloo Network.
- Optional: Review the information about how authentication and authorization work with the Gloo UI.
Step 1: Set up an Okta OIDC app
Open the Okta dashboard. If you don’t have an Okta account that you can use, sign up for an Okta developer account.
From the Applications menu, click Applications > Create New App. Note that you might see a Create App Integration button instead.
Select OIDC - OpenID Connect as the sign-in method for your app and Web application as your application type. Then, click Next.
Enter a name for your app and optionally upload a logo.
Enter the redirect URL. The URL is composed of the local address of the Gloo UI
http://localhost:8090
and the/oidc-callback
path. Your composed redirect URL looks as followshttp://localhost:8090/oidc-callback
.From the Assignments section, select Allow everyone in your organization to access. This way, you do not need to asign a user or group to this app. Instead, you can use your Okta developer account credentials to test the Okta authentication flow.
Click Save to save your changes. You are redirected to the Okta app details page.
From the General tab on the Okta app details page, note the Client ID and the client Secret.
Store the Client ID and Secret as environment variables.
export CLIENT_ID=<client-id> export CLIENT_SECRET=<secret>
From the Sign on tab in the OpenID Connect ID Token section, change the Issuer from
Dynamic
to the Okta URL. Your Okta URL typically includes your account ID and anokta.com
extension, such ashttps://dev-12345678.okta.com
.Store the issuer URL as an environment variable.
export ISSUER_URL=<issuer-URL>
Step 2: Set up external auth for the Gloo UI
Create a Kubernetes secret with the client secret from your Okta account. Note that the client secret value is base64-encoded.
kubectl apply -f - <<EOF apiVersion: v1 kind: Secret type: Opaque metadata: name: dashboard namespace: gloo-mesh data: oidc-client-secret: $(echo -n ${CLIENT_SECRET} | base64) EOF
Create a
Dashboard
custom resource to configure the Gloo UI for external authentication with Okta.kubectl apply -f - <<EOF apiVersion: admin.gloo.solo.io/v2 kind: Dashboard metadata: name: settings namespace: gloo-mesh spec: authn: oidc: appUrl: http://localhost:8090 clientId: ${CLIENT_ID} clientSecretName: dashboard issuerUrl: ${ISSUER_URL} EOF
Setting Description clientId
Enter the client ID that was assigned to your Okta OIDC app. You can retrieve the client ID from the General tab of your Okta OIDC app. issuerUrl
Enter the Okta issuer URL that you set up in the Okta app, such as https://dev-12345678.okta.com
. You can retrieve the Okta issuer URL from the Issuer field on the Sign on tab of your Okta OIDC app.appUrl
Enter the local address of the Gloo UI http://localhost:8090
.
Step 3: Verify external auth with Okta
Open the Gloo UI. Verify that you are redirected to the Gloo UI welcome screen.
meshctl dashboard
Click SIGN INTO GLOO PLATFORM. You are redirected to the Okta login page.
Enter your Okta username and password. If successfully authenticated, Okta issues an ID token and redirects you to the Gloo UI.
Cleanup
You can optionally remove the resources that you set up as part of this guide.
Remove the OIDC authentication section from the dashboard resource.
kubectl apply -f - <<EOF apiVersion: admin.gloo.solo.io/v2 kind: Dashboard metadata: name: settings namespace: gloo-mesh EOF
Remove the Kubernetes secret with your Okta OIDC credentials.
kubectl delete secret dashboard -n gloo-mesh
Remove your Okta OIDC app.
- Open the Okta dashboard and select Applications > Applications from the menu.
- Find your Okta OIDC app.
- Click the gear icon and from the drop down menu, select Deactivate.