In order to use Okta as an IdP to authenticate the Akeyless Vault, you need to follow the below steps.
The following configuration will enable users to authenticate to the Dynamic Secrets Proxy (web portal on customer side) using Okta SAML-based Single Sign-On.
- Create new SAML 2.0 application in your Okta account.
- Specify app name
- On the SAML Settings page:
- Set "https://auth.akeyless.io/saml/acs" into the Single sign on URL field.
- Set "https://auth.akeyless.io/saml/metadata" into the Audience URI (SP Entity ID) field.
- In the ATTRIBUTE STATEMENTS section, add the following attributes:
- Name: Email,
- Value: user.email
- In the GROUP ATTRIBUTE STATEMENTS section, add the following attributes:
- Name: groups
- Filter: Matches regex
- Value: ..
- On the Feedback page, select “I'm an Okta customer adding an internal app”,
and click “Finish”.
- Once the SAML 2.0 app has been created, you need to obtain the “Identity Provider metadata” for the following steps. To do so, select the Sign On tab and in the SIGN ON METHODS section, locate the Identity Provider metadata link (copy the link address to clipboard, don't click it) - this link is required for the following steps.
Now, when an Okta Application is ready, assign users to the Okta app, just like with any other Okta Apps.
In order to bind the Okta application with your Akeyless Vault account, you need to create a SAML Authentication Method using either CLI or UI, as described below.
akeyless create-auth-method-saml --name 'my Okta app' --idp-metadata-url 'https://dev-737415.okta.com/app/exk16mb6u4pyd1w5Y112/sso/saml/metadata'
The result should look as the following:
Auth Method my Okta app successfully created - Access ID: p-ki544fdn19gh
We'll need the Access-ID for the login with SAML.
Click on Auth Methods -> New -> SAML:
Please use the link from the above step 4 in the IDP Metadata URL.
We'll need the Access-ID for the login with SAML:
- You should configure a new profile with your Access-ID from the previous step and SAML type (if no profile name is provided the default will be configured):
akeyless configure --access-id p-ki544e6n19gh --access-type saml --profile 'okta-app'
- Now, you can run any Akeyless CLI command and be authenticated with Okta application:
akeyless list-items --profile okta-app
In the Akeyless Vault login page switch the sign-in with SAML:
Enter your Access-ID:
You will be redirected to the Okta sign-in where you need to provide your Okta credentials:
In order to configure the API-Gateway login to work with your Okta application, you need to follow these instructions.
In order to configure the Akeyless Dynamic Secrets producer you need to follow the API Gateway Overview.
Updated 5 months ago