open-vault/website/source/docs/auth/okta.html.md

---
layout: "docs"
page_title: "Okta - Auth Methods"
sidebar_title: "Okta"
sidebar_current: "docs-auth-okta"
description: |-
  The Okta auth method allows users to authenticate with Vault using Okta
  credentials.
---

# Okta Auth Method

The `okta` auth method allows authentication using Okta and user/password
credentials. This allows Vault to be integrated into environments using Okta.

The mapping of groups in Okta to Vault policies is managed by using the
`users/` and `groups/` paths.

## Authentication

### Via the CLI

The default path is `/okta`. If this auth method was enabled at a different
path, specify `-path=/my-path` in the CLI.

```text
$ vault login -method=okta username=my-username
```

### Via the API

The default endpoint is `auth/okta/login`. If this auth method was enabled
at a different path, use that value instead of `okta`.

```shell
$ curl \
    --request POST \
    --data '{"password": "MY_PASSWORD"}' \
    http://127.0.0.1:8200/v1/auth/okta/login/my-username
```

The response will contain a token at `auth.client_token`:

```json
{
  "auth": {
    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
    "policies": [
      "admins"
    ],
    "metadata": {
      "username": "mitchellh"
    }
  }
}
```

## Configuration

Auth methods must be configured in advance before users or machines can
authenticate. These steps are usually completed by an operator or configuration
management tool.

### Via the CLI

1. Enable the Okta auth method:

    ```text
    $ vault auth enable okta
    ```

1. Configure Vault to communicate with your Okta account:

    ```text
    $ vault write auth/okta/config \
        base_url="okta.com" \
        organization="dev-123456" \
        token="00KzlTNCqDf0enpQKYSAYUt88KHqXax6dT11xEZz_g"
    ```

    **If no token is supplied, Vault will function, but only locally configured
    group membership will be available. Without a token, groups will not be
    queried.**

    For the complete list of configuration options, please see the API
    documentation.

1. Map an Okta group to a Vault policy:

    ```text
    $ vault write auth/okta/groups/scientists policies=nuclear-reactor
    ```

    In this example, anyone who successfully authenticates via Okta who is a
    member of the "scientists" group will receive a Vault token with the
    "nuclear-reactor" policy attached.

    ---

    It is also possible to add users directly:

    ```text
    $ vault write auth/okta/groups/engineers policies=autopilot
    $ vault write auth/okta/users/tesla groups=engineers
    ```

    This adds the Okta user "tesla" to the "engineers" group, which maps to
    the "autopilot" Vault policy.

      **The user-policy mapping via group membership happens at token _creation
      time_. Any changes in group membership in Okta will not affect existing
      tokens that have already been provisioned. To see these changes, users
      will need to re-authenticate. You can force this by revoking the
      existing tokens.**

## API

The Okta auth method has a full HTTP API. Please see the
[Okta Auth API](/api/auth/okta/index.html) for more details.
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`---`
			`layout: "docs"`
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`page_title: "Okta - Auth Methods"`
New Docs Website (#5535) * conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads 2018-10-19 15:40:11 +00:00			`sidebar_title: "Okta"`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`sidebar_current: "docs-auth-okta"`
			`description: \|-`
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`The Okta auth method allows users to authenticate with Vault using Okta`
			`credentials.`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`---`

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`# Okta Auth Method`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			The `okta` auth method allows authentication using Okta and user/password
			`credentials. This allows Vault to be integrated into environments using Okta.`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
			`The mapping of groups in Okta to Vault policies is managed by using the`
			`users/` and `groups/` paths.

			`## Authentication`

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`### Via the CLI`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			The default path is `/okta`. If this auth method was enabled at a different
			path, specify `-path=/my-path` in the CLI.
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			```text
			`$ vault login -method=okta username=my-username`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			```

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`### Via the API`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			The default endpoint is `auth/okta/login`. If this auth method was enabled
			at a different path, use that value instead of `okta`.
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
			```shell
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`$ curl \`
			`--request POST \`
			`--data '{"password": "MY_PASSWORD"}' \`
Drop vault.rocks (#4186) 2018-03-23 15:41:51 +00:00			`http://127.0.0.1:8200/v1/auth/okta/login/my-username`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			```

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			The response will contain a token at `auth.client_token`:
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			```json
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`{`
			`"auth": {`
			`"client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",`
			`"policies": [`
			`"admins"`
			`],`
			`"metadata": {`
			`"username": "mitchellh"`
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`}`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00			`}`
			`}`
			```

			`## Configuration`

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`Auth methods must be configured in advance before users or machines can`
			`authenticate. These steps are usually completed by an operator or configuration`
			`management tool.`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`### Via the CLI`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`1. Enable the Okta auth method:`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			```text
			`$ vault auth enable okta`
			```
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`1. Configure Vault to communicate with your Okta account:`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			```text
			`$ vault write auth/okta/config \`
			`base_url="okta.com" \`
			`organization="dev-123456" \`
			`token="00KzlTNCqDf0enpQKYSAYUt88KHqXax6dT11xEZz_g"`
			```
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`**If no token is supplied, Vault will function, but only locally configured`
			`group membership will be available. Without a token, groups will not be`
			`queried.**`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`For the complete list of configuration options, please see the API`
			`documentation.`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`1. Map an Okta group to a Vault policy:`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			```text
			`$ vault write auth/okta/groups/scientists policies=nuclear-reactor`
			```
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`In this example, anyone who successfully authenticates via Okta who is a`
			`member of the "scientists" group will receive a Vault token with the`
			`"nuclear-reactor" policy attached.`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`---`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`It is also possible to add users directly:`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			```text
			`$ vault write auth/okta/groups/engineers policies=autopilot`
			`$ vault write auth/okta/users/tesla groups=engineers`
			```
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`This adds the Okta user "tesla" to the "engineers" group, which maps to`
			`the "autopilot" Vault policy.`
Okta implementation (#1966) 2017-01-27 00:08:52 +00:00
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`**The user-policy mapping via group membership happens at token _creation`
			`time_. Any changes in group membership in Okta will not affect existing`
			`tokens that have already been provisioned. To see these changes, users`
			`will need to re-authenticate. You can force this by revoking the`
			`existing tokens.**`
API Docs updates (#3135) 2017-08-09 15:22:19 +00:00
			`## API`

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`The Okta auth method has a full HTTP API. Please see the`
			`[Okta Auth API](/api/auth/okta/index.html) for more details.`