open-vault/website/content/docs/auth/okta.mdx

132 lines
3.4 KiB
Plaintext
Raw Normal View History

2017-01-27 00:08:52 +00:00
---
layout: docs
page_title: Okta - Auth Methods
2017-01-27 00:08:52 +00:00
description: |-
The Okta auth method allows users to authenticate with Vault using Okta
credentials.
2017-01-27 00:08:52 +00:00
---
# Okta Auth Method
2017-01-27 00:08:52 +00:00
The `okta` auth method allows authentication using Okta and user/password
credentials. This allows Vault to be integrated into environments using Okta.
2017-01-27 00:08:52 +00:00
The mapping of groups in Okta to Vault policies is managed by using the
`users/` and `groups/` paths.
## Authentication
### Via the CLI
2017-01-27 00:08:52 +00:00
The default path is `/okta`. If this auth method was enabled at a different
path, specify `-path=/my-path` in the CLI.
2017-01-27 00:08:52 +00:00
```shell-session
$ vault login -method=okta username=my-username
2017-01-27 00:08:52 +00:00
```
### Via the API
2017-01-27 00:08:52 +00:00
The default endpoint is `auth/okta/login`. If this auth method was enabled
at a different path, use that value instead of `okta`.
2017-01-27 00:08:52 +00:00
```shell-session
$ curl \
--request POST \
--data '{"password": "MY_PASSWORD"}' \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/okta/login/my-username
2017-01-27 00:08:52 +00:00
```
The response will contain a token at `auth.client_token`:
2017-01-27 00:08:52 +00:00
```json
2017-01-27 00:08:52 +00:00
{
"auth": {
"client_token": "abcd1234-7890...",
"policies": ["admins"],
2017-01-27 00:08:52 +00:00
"metadata": {
"username": "mitchellh"
}
2017-01-27 00:08:52 +00:00
}
}
```
2021-02-22 05:18:17 +00:00
### MFA
Okta Verify Push and TOTP MFA methods are supported during login. For TOTP, the current
passcode may be provided via the `totp` parameter:
```shell-session
$ vault login -method=okta username=my-username totp=123456
```
If `totp` is not set and MFA Push is configured in Okta, a Push will be sent during login.
Note that this MFA support is integrated with Okta Auth and is limited strictly to login
operations. It is not related to [Enterprise MFA](https://www.vaultproject.io/docs/enterprise/mfa).
2017-01-27 00:08:52 +00:00
## Configuration
Auth methods must be configured in advance before users or machines can
authenticate. These steps are usually completed by an operator or configuration
management tool.
2017-01-27 00:08:52 +00:00
### Via the CLI
2017-01-27 00:08:52 +00:00
1. Enable the Okta auth method:
2017-01-27 00:08:52 +00:00
```shell-session
2020-02-21 19:13:42 +00:00
$ vault auth enable okta
```
2017-01-27 00:08:52 +00:00
1. Configure Vault to communicate with your Okta account:
2017-01-27 00:08:52 +00:00
```shell-session
2020-02-21 19:13:42 +00:00
$ vault write auth/okta/config \
base_url="okta.com" \
org_name="dev-123456" \
api_token="00abcxyz..."
2020-02-21 19:13:42 +00:00
```
2017-01-27 00:08:52 +00:00
\*\*If no token is supplied, Vault will function, but only locally configured
group membership will be available. Without a token, groups will not be
queried.
Support for okta auth with no API token is deprecated in Vault 1.4.\*\*
2017-01-27 00:08:52 +00:00
For the complete list of configuration options, please see the API
documentation.
2017-01-27 00:08:52 +00:00
1. Map an Okta group to a Vault policy:
2017-01-27 00:08:52 +00:00
```shell-session
2020-02-21 19:13:42 +00:00
$ vault write auth/okta/groups/scientists policies=nuclear-reactor
```
2017-01-27 00:08:52 +00:00
In this example, anyone who successfully authenticates via Okta who is a
member of the "scientists" group will receive a Vault token with the
"nuclear-reactor" policy attached.
2017-01-27 00:08:52 +00:00
---
2017-01-27 00:08:52 +00:00
It is also possible to add users directly:
2017-01-27 00:08:52 +00:00
```shell-session
2020-02-21 19:13:42 +00:00
$ vault write auth/okta/groups/engineers policies=autopilot
$ vault write auth/okta/users/tesla groups=engineers
```
2017-01-27 00:08:52 +00:00
This adds the Okta user "tesla" to the "engineers" group, which maps to
the "autopilot" Vault policy.
2017-01-27 00:08:52 +00:00
**The user-policy mapping via group membership happens at token _creation
time_. Any changes in group membership in Okta will not affect existing
tokens that have already been provisioned. To see these changes, users
will need to re-authenticate. You can force this by revoking the
existing tokens.**
2017-08-09 15:22:19 +00:00
## API
The Okta auth method has a full HTTP API. Please see the
[Okta Auth API](/api/auth/okta) for more details.