luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

auth/okta: documentation improvements (#13944)

This commit is contained in:
Austin Gebauer 2022-02-08 09:21:19 -08:00 committed by GitHub
parent 702399a156
commit 5804da7490
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 39 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
website/content/docs/auth/okta.mdx
View File

@ -12,7 +12,8 @@ The `okta` auth method allows authentication using Okta and user/password
credentials. This allows Vault to be integrated into environments using Okta. credentials. This allows Vault to be integrated into environments using Okta.
The mapping of groups in Okta to Vault policies is managed by using the The mapping of groups in Okta to Vault policies is managed by using the
`users/` and `groups/` paths. [users](/api-docs/auth/okta#register-user) and [groups](/api-docs/auth/okta#register-group)
APIs.
## Authentication ## Authentication
@ -62,6 +63,10 @@ $ vault login -method=okta username=my-username totp=123456
If `totp` is not set and MFA Push is configured in Okta, a Push will be sent during login. If `totp` is not set and MFA Push is configured in Okta, a Push will be sent during login.
The auth method uses the Okta [Authentication API](https://developer.okta.com/docs/reference/api/authn/).
It does not manage Okta [sessions](https://developer.okta.com/docs/reference/api/sessions/) for authenticated
users. This means that if MFA Push is configured, it will be required during both login and token renewal.
Note that this MFA support is integrated with Okta Auth and is limited strictly to login Note that this MFA support is integrated with Okta Auth and is limited strictly to login
operations. It is not related to [Enterprise MFA](https://www.vaultproject.io/docs/enterprise/mfa). operations. It is not related to [Enterprise MFA](https://www.vaultproject.io/docs/enterprise/mfa).
@ -75,55 +80,52 @@ management tool.
1. Enable the Okta auth method: 1. Enable the Okta auth method:
```shell-session ```shell-session
$ vault auth enable okta $ vault auth enable okta
``` ```
1. Configure Vault to communicate with your Okta account: 1. Configure Vault to communicate with your Okta account:
```shell-session ```shell-session
$ vault write auth/okta/config \ $ vault write auth/okta/config \
base_url="okta.com" \ base_url="okta.com" \
org_name="dev-123456" \ org_name="dev-123456" \
api_token="00abcxyz..." api_token="00abcxyz..."
``` ```
\*\*If no token is supplied, Vault will function, but only locally configured -> **Note**: Support for okta auth with no API token is deprecated in Vault 1.4.
group membership will be available. Without a token, groups will not be If no token is supplied, Vault will function, but only locally configured
queried. group membership will be available. Without a token, groups will not be
queried.
Support for okta auth with no API token is deprecated in Vault 1.4.\*\* For the complete list of configuration options, please see the
[API documentation](/api-docs/auth/okta).
For the complete list of configuration options, please see the API
documentation.
1. Map an Okta group to a Vault policy: 1. Map an Okta group to a Vault policy:
```shell-session ```shell-session
$ vault write auth/okta/groups/scientists policies=nuclear-reactor $ vault write auth/okta/groups/scientists policies=nuclear-reactor
``` ```
In this example, anyone who successfully authenticates via Okta who is a In this example, anyone who successfully authenticates via Okta who is a
member of the "scientists" group will receive a Vault token with the member of the "scientists" group will receive a Vault token with the
"nuclear-reactor" policy attached. "nuclear-reactor" policy attached.
--- 1. It is also possible to add users directly:
It is also possible to add users directly: ```shell-session
$ vault write auth/okta/groups/engineers policies=autopilot
$ vault write auth/okta/users/tesla groups=engineers
```
```shell-session This adds the Okta user "tesla" to the "engineers" group, which maps to
$ vault write auth/okta/groups/engineers policies=autopilot the "autopilot" Vault policy.
$ vault write auth/okta/users/tesla groups=engineers
```
This adds the Okta user "tesla" to the "engineers" group, which maps to -> **Note**: The user-policy mapping via group membership happens at token _creation
the "autopilot" Vault policy. time_. Any changes in group membership in Okta will not affect existing
tokens that have already been provisioned. To see these changes, users
**The user-policy mapping via group membership happens at token _creation will need to re-authenticate. You can force this by revoking the
time_. Any changes in group membership in Okta will not affect existing existing tokens.
tokens that have already been provisioned. To see these changes, users
will need to re-authenticate. You can force this by revoking the
existing tokens.**
## API ## API