How to Configure Okta as An Identity Provider for OpenShift

Prerequisites

Okta provides several paid offerings to customers. You can review them on the Okta page.

In this tutorial, I am using a developer account with the Okta platform. You can get a trial account here: https://developer.okta.com/signup/.

Along with this, you need the Openshift Container Platform environment for identity provider configuration.

Okta Configuration

Let’s first start with Okta configuration.

After you have logged into the Okta portal, go to the “Application” tab and click “Add Application”.  This opens a new window:

Click “Create New App”. This opens a new window:

Select the “Web” option and click “Next”: 

Add the details as below on the newly open window.

Set an “Application name”.

 In the Login section, set “Login redirect URIs” and “Initiate login URI” as: 

https://oauth-openshift.apps.<cluster-name>.<cluster-domain>/oauth2callback/
<idp-provider-name>

For example: https://oauth-opeshift-apps.pmaliokta.com/oauth2callback/okta

Here, make a note that <idp-provider-name> is the name that we are going to use in the OpenShift configuration to refer to the identity provider.

Click “Save”.

The next window shows you the Client ID and Client secret:

To view the Client secret, click the eye icon.

Store this Client ID and Client secret somewhere safe; they are needed when we configure OCP IDP configuration.

Here, Okta basic configuration is complete. Let’s move to Openshift Container Platform configuration.

OpenShift Container Platform Configuration

Let’s start with creating an Okta secret with the following command:

$ oc create secret generic openid-okta-secret --from-literal=clientSecret=6LKCbxG5ZpzAKNyUFsxUFnRv6D4purjnlVnM4ECl -n openshift-config

Here, the secret value is the client secret created in the Okta application. 

Below is the OAuth configuration for the Okta identity provider:

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
    - mappingMethod: claim
      name: okta
      openID:
        claims:
          email:
          - email
          name:
          - name
          - email
          preferredUsername:
          - preferred_username
          - email
        clientID: 0oai0uwwCEri5EMEI5d5
        clientSecret:
          name: openid-okta-secret
        extraScopes:
        - email
        - profile
        issuer: https://dev-3523509.okta.com                       
      type: OpenID

You can save the above CR in a file called okta-idp.yaml and use “oc apply -f okta-idp.yaml” to apply the configuration.

Points to note:

clientID: It’s a value created from an Okta application.

clientSecret: It’s a value created from an Okta application.

Issuer:  Okta host name 

After applying the configuration, check the pod status by executing the “oc get pods -n openshift-authentication” command and make sure the pod status is “Running”. 

Then open a browser and navigate to the web console. 

NOTE: You can obtain the link to the web console by executing “oc get routes -n openshift-console” from the OpenShift CLI. 

Log in to the OpenShift web console using the Okta IDP.

After you have logged into the OCP dashboard, you can see the Okta username in the upper right of the dashboard. You can also verify using CLI with the following command:

$ oc get user
NAME               UID                                    FULL NAME   IDENTITIES
pmali@redhat.com   86f10f6a-5a22-4873-8813-f145766890b0   Pravin M    okta:00ui0qh30snvW6SPq5d5

Thanks for Reading 

Hopefully, this article helps you configure basic Okta integration with OCP.  For more information, be sure to check out Red Hat’s documentation on OpenID.