2017-01-27 00:08:52 +00:00
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
layout: docs
|
|
|
|
page_title: Okta - Auth Methods
|
|
|
|
sidebar_title: Okta
|
2017-01-27 00:08:52 +00:00
|
|
|
description: |-
|
2017-09-13 01:48:52 +00:00
|
|
|
The Okta auth method allows users to authenticate with Vault using Okta
|
|
|
|
credentials.
|
2017-01-27 00:08:52 +00:00
|
|
|
---
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
# Okta Auth Method
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
The `okta` auth method allows authentication using Okta and user/password
|
|
|
|
credentials. This allows Vault to be integrated into environments using Okta.
|
2017-01-27 00:08:52 +00:00
|
|
|
|
|
|
|
The mapping of groups in Okta to Vault policies is managed by using the
|
|
|
|
`users/` and `groups/` paths.
|
|
|
|
|
|
|
|
## Authentication
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
### Via the CLI
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
The default path is `/okta`. If this auth method was enabled at a different
|
|
|
|
path, specify `-path=/my-path` in the CLI.
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
```text
|
|
|
|
$ vault login -method=okta username=my-username
|
2017-01-27 00:08:52 +00:00
|
|
|
```
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
### Via the API
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
The default endpoint is `auth/okta/login`. If this auth method was enabled
|
|
|
|
at a different path, use that value instead of `okta`.
|
2017-01-27 00:08:52 +00:00
|
|
|
|
|
|
|
```shell
|
2017-09-13 01:48:52 +00:00
|
|
|
$ curl \
|
|
|
|
--request POST \
|
|
|
|
--data '{"password": "MY_PASSWORD"}' \
|
2018-03-23 15:41:51 +00:00
|
|
|
http://127.0.0.1:8200/v1/auth/okta/login/my-username
|
2017-01-27 00:08:52 +00:00
|
|
|
```
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
The response will contain a token at `auth.client_token`:
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
```json
|
2017-01-27 00:08:52 +00:00
|
|
|
{
|
|
|
|
"auth": {
|
|
|
|
"client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
|
2020-01-18 00:18:09 +00:00
|
|
|
"policies": ["admins"],
|
2017-01-27 00:08:52 +00:00
|
|
|
"metadata": {
|
|
|
|
"username": "mitchellh"
|
2017-09-13 01:48:52 +00:00
|
|
|
}
|
2017-01-27 00:08:52 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
## Configuration
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
Auth methods must be configured in advance before users or machines can
|
|
|
|
authenticate. These steps are usually completed by an operator or configuration
|
|
|
|
management tool.
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
### Via the CLI
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
1. Enable the Okta auth method:
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2020-02-21 19:13:42 +00:00
|
|
|
```
|
|
|
|
$ vault auth enable okta
|
|
|
|
```
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
1. Configure Vault to communicate with your Okta account:
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2020-02-21 19:13:42 +00:00
|
|
|
```
|
|
|
|
$ vault write auth/okta/config \
|
|
|
|
base_url="okta.com" \
|
|
|
|
org_name="dev-123456" \
|
|
|
|
api_token="00KzlTNCqDf0enpQKYSAYUt88KHqXax6dT11xEZz_g"
|
|
|
|
```
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
**If no token is supplied, Vault will function, but only locally configured
|
|
|
|
group membership will be available. Without a token, groups will not be
|
2020-02-03 17:51:10 +00:00
|
|
|
queried.
|
|
|
|
|
|
|
|
Support for okta auth with no API token is deprecated in Vault 1.4.**
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
For the complete list of configuration options, please see the API
|
|
|
|
documentation.
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
1. Map an Okta group to a Vault policy:
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2020-02-21 19:13:42 +00:00
|
|
|
```
|
|
|
|
$ vault write auth/okta/groups/scientists policies=nuclear-reactor
|
|
|
|
```
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
In this example, anyone who successfully authenticates via Okta who is a
|
|
|
|
member of the "scientists" group will receive a Vault token with the
|
|
|
|
"nuclear-reactor" policy attached.
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
***
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
It is also possible to add users directly:
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2020-02-21 19:13:42 +00:00
|
|
|
```
|
|
|
|
$ vault write auth/okta/groups/engineers policies=autopilot
|
|
|
|
$ vault write auth/okta/users/tesla groups=engineers
|
|
|
|
```
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
This adds the Okta user "tesla" to the "engineers" group, which maps to
|
|
|
|
the "autopilot" Vault policy.
|
2017-01-27 00:08:52 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
**The user-policy mapping via group membership happens at token _creation
|
|
|
|
time_. Any changes in group membership in Okta will not affect existing
|
|
|
|
tokens that have already been provisioned. To see these changes, users
|
|
|
|
will need to re-authenticate. You can force this by revoking the
|
|
|
|
existing tokens.**
|
2017-08-09 15:22:19 +00:00
|
|
|
|
|
|
|
## API
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
The Okta auth method has a full HTTP API. Please see the
|
2020-01-22 20:05:41 +00:00
|
|
|
[Okta Auth API](/api/auth/okta) for more details.
|