open-vault/website/source/docs/auth/okta.html.md

119 lines
3 KiB
Markdown
Raw Normal View History

2017-01-27 00:08:52 +00:00
---
layout: "docs"
page_title: "Okta - Auth Methods"
2017-01-27 00:08:52 +00:00
sidebar_current: "docs-auth-okta"
description: |-
The Okta auth method allows users to authenticate with Vault using Okta
credentials.
2017-01-27 00:08:52 +00:00
---
# Okta Auth Method
2017-01-27 00:08:52 +00:00
The `okta` auth method allows authentication using Okta and user/password
credentials. This allows Vault to be integrated into environments using Okta.
2017-01-27 00:08:52 +00:00
The mapping of groups in Okta to Vault policies is managed by using the
`users/` and `groups/` paths.
## Authentication
### Via the CLI
2017-01-27 00:08:52 +00:00
The default path is `/okta`. If this auth method was enabled at a different
path, specify `-path=/my-path` in the CLI.
2017-01-27 00:08:52 +00:00
```text
$ vault login -method=okta username=my-username
2017-01-27 00:08:52 +00:00
```
### Via the API
2017-01-27 00:08:52 +00:00
The default endpoint is `auth/okta/login`. If this auth method was enabled
at a different path, use that value instead of `okta`.
2017-01-27 00:08:52 +00:00
```shell
$ curl \
--request POST \
--data '{"password": "MY_PASSWORD"}' \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/okta/login/my-username
2017-01-27 00:08:52 +00:00
```
The response will contain a token at `auth.client_token`:
2017-01-27 00:08:52 +00:00
```json
2017-01-27 00:08:52 +00:00
{
"auth": {
"client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
"policies": [
"admins"
],
"metadata": {
"username": "mitchellh"
}
2017-01-27 00:08:52 +00:00
}
}
```
## Configuration
Auth methods must be configured in advance before users or machines can
authenticate. These steps are usually completed by an operator or configuration
management tool.
2017-01-27 00:08:52 +00:00
### Via the CLI
2017-01-27 00:08:52 +00:00
1. Enable the Okta auth method:
2017-01-27 00:08:52 +00:00
```text
$ vault auth enable okta
```
2017-01-27 00:08:52 +00:00
1. Configure Vault to communicate with your Okta account:
2017-01-27 00:08:52 +00:00
```text
$ vault write auth/okta/config \
base_url="okta.com" \
organization="dev-123456" \
token="00KzlTNCqDf0enpQKYSAYUt88KHqXax6dT11xEZz_g"
```
2017-01-27 00:08:52 +00:00
**If no token is supplied, Vault will function, but only locally configured
group membership will be available. Without a token, groups will not be
queried.**
2017-01-27 00:08:52 +00:00
For the complete list of configuration options, please see the API
documentation.
2017-01-27 00:08:52 +00:00
1. Map an Okta group to a Vault policy:
2017-01-27 00:08:52 +00:00
```text
$ vault write auth/okta/groups/scientists policies=nuclear-reactor
```
2017-01-27 00:08:52 +00:00
In this example, anyone who successfully authenticates via Okta who is a
member of the "scientists" group will receive a Vault token with the
"nuclear-reactor" policy attached.
2017-01-27 00:08:52 +00:00
---
2017-01-27 00:08:52 +00:00
It is also possible to add users directly:
2017-01-27 00:08:52 +00:00
```text
$ vault write auth/okta/groups/engineers policies=autopilot
$ vault write auth/okta/users/tesla groups=engineers
```
2017-01-27 00:08:52 +00:00
This adds the Okta user "tesla" to the "engineers" group, which maps to
the "autopilot" Vault policy.
2017-01-27 00:08:52 +00:00
**The user-policy mapping via group membership happens at token _creation
time_. Any changes in group membership in Okta will not affect existing
tokens that have already been provisioned. To see these changes, users
will need to re-authenticate. You can force this by revoking the
existing tokens.**
2017-08-09 15:22:19 +00:00
## API
The Okta auth method has a full HTTP API. Please see the
[Okta Auth API](/api/auth/okta/index.html) for more details.