Skip to content

Commit

Permalink
docs: minor updates DOC-491
Browse files Browse the repository at this point in the history
  • Loading branch information
@karl-cardenas-coding
karl-cardenas-coding committed Jun 13, 2023
1 parent 64bc561 commit da53f92
Showing 1 changed file with 66 additions and 46 deletions.
112 changes: 66 additions & 46 deletions content/docs/08-user-management/04-saml-sso/04-palette-sso-with-okta.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,21 +16,33 @@ import InfoBox from 'shared/components/InfoBox';

# Enable SSO with Okta

Single Sign-Sn (SSO) is an authentication method that enables users to log in to multiple applications and websites with one set of credentials. SSO uses certificates to establish and maintain a trust relationship between the Service Provider (SP) and an Identity Provider (IdP). Palette supports SSO based on either the Security Assertion Markup Language (SAML) or OpenID Connect (OIDC).
Single Sign-On (SSO) is an authentication method that enables users to log in to multiple applications and websites with one set of credentials. SSO uses certificates to establish and maintain a trust relationship between the Service Provider (SP) and an Identity Provider (IdP). Palette supports SSO based on either the Security Assertion Markup Language (SAML) or OpenID Connect (OIDC).

The following steps will guide you on how to enable Palette SSO with [Okta Workforce Identity Cloud](https://www.okta.com/products/single-sign-on/) based on OIDC.


# Prerequisites
In order to setup OIDC-based SSO with Okta, you need to have either a free or paid subscription with Okta. Okta provides free [developer subscriptions](https://developer.okta.com/signup/) for testing purposes.

If you want to use the same Okta application for OIDC-based SSO into your Kubernetes cluster itself, you need to install [kubelogin](https://github.com/int128/kubelogin) on your workstation to handle retrieval of access tokens for your cluster.
- You need to have either a free or paid subscription with Okta. Okta provides free [developer subscriptions](https://developer.okta.com/signup/) for testing purposes.


- If you want to use the same Okta application for OIDC-based SSO into your Kubernetes cluster itself, you need to install [kubelogin](https://github.com/int128/kubelogin) on your local workstation to handle retrieval of access tokens for your cluster.


# Enablement
## Create the Okta Application

1. Log in to your Okta Admin console (`https://{your-okta-account}-admin.okta.com/admin/getting-started`) and navigate to **Applications** --> **Applications**. Click the **Create App Integration** button.
1. Log in to your Okta Admin console and navigate to **Applications** --> **Applications**. Click the **Create App Integration** button.

<br />

<InfoBox>

Your Okta login URL has the following format,
`https://{your-okta-account-id}-admin.okta.com/admin/getting-started`.
Replace `{your-okta-account-id}` with your Okta account ID.

</InfoBox>


2. In the screen that opens, select **OIDC - OpenID Connect**` for the sign-in method, then select **Web Application** for the application type. Then click **Next**.
Expand All @@ -42,7 +54,7 @@ If you want to use the same Okta application for OIDC-based SSO into your Kubern

![Configure General Settings](/oidc-okta-images/oidc-okta_okta-general-settings.png)

<br />
<br />


4. Open a web browser and navigate to your Palette subscription. Navigate to **Tenant Settings** --> **SSO** and click **OIDC**. Click the button next to **Callback URL** to copy the value to the clipboard.
Expand All @@ -51,15 +63,15 @@ If you want to use the same Okta application for OIDC-based SSO into your Kubern

![Copy Callback URL](/oidc-okta-images/oidc-okta_copy-callback-url.png)

<br />
<br />

5. Switch back to your Okta Admin console and paste the copied value into the **Sign-in redirect URIs** field, replacing the existing value:

<br />

![Paste Redirect URI](/oidc-okta-images/oidc-okta_paste-redirect-uri.png)

<br />
<br />

6. Switch back to Palette in the web browser and click the button next to **Logout URL** to copy the value to the clipboard.

Expand All @@ -79,13 +91,15 @@ If you want to use the same Okta application for OIDC-based SSO into your Kubern

8. These two redirect URIs are required for SSO to work with Palette. You can also add additional redirect URIs. The URIs in the table below are useful when you want to use Okta for OIDC authentication into your Kubernetes clusters.

| URL | Type of Access |
| --- | --- |
| `http://localhost:8000` | Using kubectl with the kube-login plugin from a workstation. |
| `https://console.spectrocloud.com/v1/shelly/oidc/callback` | Using the web-based kubectl console. |
| `https://<fqdn_of_k8s_dashboard>/oauth/callback` | Using OIDC authentication into Kubernetes Dashboard. |
<br />

<br />
| URL | Type of Access |
| --- | --- |
| `http://localhost:8000` | Using kubectl with the kube-login plugin from a workstation. |
| `https://console.spectrocloud.com/v1/shelly/oidc/callback` | Using the web-based kubectl console. |
| `https://<fqdn_of_k8s_dashboard>/oauth/callback` | Using OIDC authentication into Kubernetes Dashboard. |

<br />

9. When you have completed entering redirect URIs, scroll down to the **Assignments** section and section and select **Allow everyone in your organization to access**. Leave the **Enable immediate access with Federation Broker Mode** option enabled and click **Save**.

Expand Down Expand Up @@ -139,60 +153,64 @@ To ensure Okta issues OIDC tokens with the correct claims, you must create a cus

![Add Claims](/oidc-okta-images/oidc-okta_add-claims.png)

<br />

Enter the required information from the following tables below and click **Create**. Use this flow to create three claims in total. First, create two claims for the user information.
15. Enter the required information from the following tables below and click **Create**. Use this flow to create three claims in total. First, create two claims for the user information.

<br />

| Claim Name | Include in token type | Value Type | Value | Disable claim | Include In |
|------------|-----------------------|------------|-------|---------------|------------|
| u_first_name | ID Token (Always) | Expression | `user.firstName` | Unchecked | Any scope |
| u_last_name | ID Token (Always) | Expression | `user.lastName` | Unchecked | Any scope |

| Claim Name | Include in token type | Value Type | Value | Disable claim | Include In |
|------------|-----------------------|------------|-------|---------------|------------|
| u_first_name | ID Token (Always) | Expression | `user.firstName` | Unchecked | Any scope |
| u_last_name | ID Token (Always) | Expression | `user.lastName` | Unchecked | Any scope |

Next, create a claim for group membership. The example below will include the names of any groups that the Okta user is a member of, that start with `palette-`, in the `groups` claim of the ticket. For Palette SSO, Palette will make the user a member of Teams in Palette that have the identical name.
16. Next, create a claim for group membership. The example below will include the names of any groups that the Okta user is a member of, that start with `palette-`, in the `groups` claim of the ticket. For Palette SSO, Palette will make the user a member of Teams in Palette that have the identical name.

<br />

| Claim Name | Include in token type | Value Type | Filter | Disable claim | Include In |
|------------|-----------------------|------------|-------|---------------|------------|
| groups | ID Token (Always) | Groups | Starts with: `palette-` | Unchecked | Any scope |
| Claim Name | Include in token type | Value Type | Filter | Disable claim | Include In |
|------------|-----------------------|------------|-------|---------------|------------|
| groups | ID Token (Always) | Groups | Starts with: `palette-` | Unchecked | Any scope |

<br />

![Claims Result](/oidc-okta-images/oidc-okta_claims-result.png)

<br />
<br />

15. Click **<-- Back to Authorization Servers** at the top of the page to navigate back to the list of all servers. The authorization server you created is displayed in the list. Select the **Issuer URI** shown and copy it to the clipboard. Save this value as you will use it in a later step.
17. Click **<-- Back to Authorization Servers** at the top of the page to navigate back to the list of all servers. The authorization server you created is displayed in the list. Select the **Issuer URI** shown and copy it to the clipboard. Save this value as you will use it in a later step.

<br />

![Get Issuer URI](/oidc-okta-images/oidc-okta_get-issuer-uri.png)

<br />
<br />

16. Navigate to the **Access Policies** tab and click **Add Policy**.
18. Navigate to the **Access Policies** tab and click **Add Policy**.

<br />

![Add Access Policy](/oidc-okta-images/oidc-okta_add-access-policy.png)

<br />

17. Set the **Name** and **Description** fields to `Palette`, then change the **Assign to** option to the Okta Application you created in step three -`Spectro Cloud Palette OIDC`. Type in the first few characters of the application name and wait for a search result to come up that you can click on.
19. Set the **Name** and **Description** fields to `Palette`, then change the **Assign to** option to the Okta Application you created in step three -`Spectro Cloud Palette OIDC`. Type in the first few characters of the application name and wait for a search result to come up that you can click on.

<br />

![Name Access Policy](/oidc-okta-images/oidc-okta_name-access-policy.png)

<br />

18. Click the **Add rule** button to add a rule to this Access Policy:
20. Click the **Add rule** button to add a rule to this Access Policy:

<br />

![Add Policy Rule](/oidc-okta-images/oidc-okta_add-policy-rule.png)

<br />

19. Set the **Rule Name** to `AuthCode`. Then deselect all Grant types but one, only leaving **Authorization Code** selected. Then click **Create Rule**.
21. Set the **Rule Name** to `AuthCode`. Then deselect all Grant types but one, only leaving **Authorization Code** selected. Then click **Create Rule**.

<br />

Expand All @@ -205,7 +223,7 @@ You have now completed all configuration steps in Okta.

## Enable OIDC SSO in Palette

20. Open a web browser and navigate to your [Palette](https://console.spectrocloud.com) subscription.
22. Open a web browser and navigate to your [Palette](https://console.spectrocloud.com) subscription.

Navigate to **Tenant Settings** --> **SSO** and click on **OIDC**. Enter the following information.

Expand All @@ -227,38 +245,38 @@ Navigate to **Tenant Settings** --> **SSO** and click on **OIDC**. Enter the fol

<br />

21. When all the information has been entered, click **Enable** to activate SSO. You will receive a message stating **OIDC configured successfully**.
23. When all the information has been entered, click **Enable** to activate SSO. You will receive a message stating **OIDC configured successfully**.


## Create Teams in Palette

The remaining step is to create teams in Palette for the group that you allowed to be passed in the OIDC ticket in Okta, and give them the appropriate permissions. For this example, you will create the `palette-tenant-admins` team and give it **Tenant Admin** permissions. You can repeat this for any other team that you have a matching Okta group for.

22. Open a web browser and navigate to your Palette subscription. Navigate to **Tenant Settings** --> **Users & Teams** --> **Teams** tab, and click **+ Create Team**.
24. Open a web browser and navigate to your Palette subscription. Navigate to **Tenant Settings** --> **Users & Teams** --> **Teams** tab, and click **+ Create Team**.

<br />

![Create Palette Team](/oidc-okta-images/oidc-okta_create-team.png)

<br />

23. Specify `palette-tenant-admins` in the **Team name** field. You don't need to set any members now, as this will happen automatically from the SSO. Click **Confirm** to create the team.
25. Specify `palette-tenant-admins` in the **Team name** field. You don't need to set any members now, as this will happen automatically from the SSO. Click **Confirm** to create the team.

<br />

![Name Palette Team](/oidc-okta-images/oidc-okta_name-team.png)

<br />

24. The list of teams displays again. Select the newly created **palette-tenant-admins** team to review its details. To give this team administrative access to the entire tenant and all the projects in it, assign the **Tenant Admin** role. Select **Tenant Roles** and click **+ Add Tenant Role**:
26. The list of teams displays again. Select the newly created **palette-tenant-admins** team to review its details. To give this team administrative access to the entire tenant and all the projects in it, assign the **Tenant Admin** role. Select **Tenant Roles** and click **+ Add Tenant Role**:

<br />

![Palette Tenant Roles](/oidc-okta-images/oidc-okta_tenant-roles.png)

<br />

25. Click on **Tenant Admin** to enable the role. Click **Confirm** to add the role.
27. Click on **Tenant Admin** to enable the role. Click **Confirm** to add the role.

<br />

Expand All @@ -268,16 +286,14 @@ The remaining step is to create teams in Palette for the group that you allowed

You will receive a message stating **Roles have been updated**. Repeat this procedure for any other teams while ensuring they are given the appropriate access permissions.

26. Click the **X** next to **Team Details** in the top left corner to exit this screen.
28. Click the **X** next to **Team Details** in the top left corner to exit this screen.

You have now successfully configured Palette SSO based on OIDC with Okta.


# Validate

1. Log in to Palette through SSO as a user that is a member of the `palette-tenant-admins` group in Okta to verify that users are automatically added to the `palette-tenant-admins` group in Palette.

If you're still logged into Palette with a non-SSO user, log out by selecting **Logout** in the **User Drop-down Menu** at the top right.
1. Log in to Palette through SSO as a user that is a member of the `palette-tenant-admins` group in Okta to verify that users are automatically added to the `palette-tenant-admins` group in Palette. If you're still logged into Palette with a non-SSO user, log out by selecting **Logout** in the **User Drop-down Menu** at the top right.

<br />

Expand All @@ -286,9 +302,7 @@ If you're still logged into Palette with a non-SSO user, log out by selecting **
<br />


2. The Palette login screen now displays a **Sign in** button and no longer presents a username and password field. Below the **Sign In** button, there is an **SSO issues? --> Use your password** link. This link can be used to bypass SSO and log in with a local Palette account in case there is an issue with SSO and you need to access Palette without SSO.

Click on the **Sign in** button to log in via SSO.
2. The Palette login screen now displays a **Sign in** button and no longer presents a username and password field. Below the **Sign In** button, there is an **SSO issues? --> Use your password** link. This link can be used to bypass SSO and log in with a local Palette account in case there is an issue with SSO and you need to access Palette without SSO. Click on the **Sign in** button to log in via SSO.

<br />

Expand All @@ -298,20 +312,26 @@ Click on the **Sign in** button to log in via SSO.

3. If this is the first time you are logging in with SSO, you will be redirected to the Okta login page. Depending on your organization's SSO settings, this could be a simple login form or require MFA (Multi-Factor Authentication).

Make sure you log in as a user that is a member of the `palette-tenant-admins` group in Okta. Once authenticated, you will automatically be redirected back to Palette and logged into Palette as that user.
<br />

<InfoBox>

Make sure you log in as a user that is a member of the `palette-tenant-admins` group in Okta. Once authenticated, you will automatically be redirected back to Palette and logged into Palette as that user.

</InfoBox>

<br />

4. You are now automatically added to the `palette-tenant-admins` team in Palette. To verify, navigate to the left **Main Menu**, select **Tenant Settings** --> **Users & Teams** --> **Teams** tab. Click the **palette-tenant-admins** team and view the team members section.


The user you logged in as has automatically been added to this team.


# Resources

- [Okta Workforce Identity Cloud](https://www.okta.com/products/single-sign-on/)


- [Palette User Management](/user-management)


- [Palette SSO](/user-management/saml-sso)

0 comments on commit da53f92

Please sign in to comment.