Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OTKA SCIM only integration #41814

Merged
merged 2 commits into from
May 23, 2024
Merged

OTKA SCIM only integration #41814

merged 2 commits into from
May 23, 2024

Conversation

smallinsky
Copy link
Contributor

@smallinsky smallinsky commented May 21, 2024
edited
Loading

What

  • Added app_group_sync_disabled okta plugin setting that will allow to disabled Okta Application and Groups sync.
  • Added types.KindSAML, services.ReadNoSecrets() to types.RoleOkta (SCIM Handler and User sync need to fetch attributes to role mapping set proper user roles during SCIM user createa/updatea and during SCIM sync when user is created/updated)
  • Added ability to install okta plugin with different behaviors
    • SCIM only integration without APIToken:
    $ tctl plugins install okta  \
   --org https://trial-....okta.com \ 
   --saml-connector okta-integration \ 
   --no-users-sync \ 
   --no-accesslist-sync  \
   --no-appgroup-sync \
   --scim
   
Successfully created OKTA plugin "okta"

SCIM Base URL: https://example.net:443/v1/webapi/scim/okta
SCIM Identifier field for users: userName
SCIM Baerar Token: daf2d4...

See https://goteleport.com/docs/application-access/okta/hosted-guide for help configuring provisioning in Okta
  • SCIM only integration with APIToken: 
    $ tctl plugins install okta  \
   --org https://trial-....okta.com \ 
   --saml-connector okta-integration \ 
   --no-users-sync \ 
   --no-accesslist-sync  \
   --no-appgroup-sync \
   --scim \ 
   --api-token=secreetOKTAAPIToken

Related: https://github.com/gravitational/teleport.e/pull/4213

@smallinsky smallinsky force-pushed the smallinsky/okta_scim_integration_v2 branch from ed248f4 to 53d6b6d Compare May 21, 2024 15:22
@smallinsky smallinsky requested review from r0mant and tcsc May 21, 2024 16:28
@smallinsky smallinsky force-pushed the smallinsky/okta_scim_integration_v2 branch from 53d6b6d to 1861a64 Compare May 21, 2024 17:05
tcsc
tcsc approved these changes May 22, 2024
View reviewed changes
tool/tctl/common/cmds.go
@@ -55,7 +56,7 @@ func Commands() []CLICommand {
&loginrule.Command{},
&IdPCommand{},
&accessmonitoring.Command{},
&PluginsCommand{},
&plugin.PluginsCommand{},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea

tcsc
tcsc reviewed May 22, 2024
View reviewed changes
tool/tctl/common/plugin/okta.go Outdated
fmt.Printf("SCIM Base URL: %s\n", scimBaseURL)
fmt.Printf("SCIM Identifier field for users: %s\n", "userName")
if oktaSettings.autoGeneratedSCIMToken {
fmt.Printf("SCIM Baerar Token: %s\n", oktaSettings.scimToken)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was dubious about this feature until I saw that it only prints out tokens it generates. Nice.

@smallinsky smallinsky marked this pull request as ready for review May 22, 2024 10:21
@smallinsky smallinsky requested review from atburke and avatus May 22, 2024 10:21
@github-actions github-actions bot added size/md tctl tctl - Teleport admin tool labels May 22, 2024
@smallinsky smallinsky force-pushed the smallinsky/okta_scim_integration_v2 branch from 1861a64 to 202d9ca Compare May 22, 2024 10:22
@github-actions GitHub Actions
Copy link

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@smallinsky smallinsky mentioned this pull request May 22, 2024
Merged
@smallinsky smallinsky added the no-changelog Indicates that a PR does not require a changelog entry label May 22, 2024
justinas
justinas approved these changes May 22, 2024
View reviewed changes
tool/tctl/common/plugin/okta.go Show resolved Hide resolved
tool/tctl/common/plugin/okta.go Outdated Show resolved Hide resolved
@smallinsky smallinsky force-pushed the smallinsky/okta_scim_integration_v2 branch 3 times, most recently from 7351609 to 0d1c36e Compare May 23, 2024 12:19
@smallinsky smallinsky force-pushed the smallinsky/okta_scim_integration_v2 branch from 0d1c36e to 6e7aea4 Compare May 23, 2024 12:48
@smallinsky smallinsky added this pull request to the merge queue May 23, 2024
Merged via the queue into master with commit e6918de May 23, 2024
38 checks passed
@smallinsky smallinsky deleted the smallinsky/okta_scim_integration_v2 branch May 23, 2024 14:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justinas justinas justinas approved these changes

@tcsc tcsc tcsc approved these changes

@probakowski probakowski probakowski approved these changes

Assignees
No one assigned
Labels
no-changelog Indicates that a PR does not require a changelog entry size/md tctl tctl - Teleport admin tool
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@smallinsky @justinas @tcsc @probakowski