Imply Cloud Auth with SSO support is a beta feature for Imply Cloud. See About experimental features for more information about beta features.
This topic describes how to configure Imply Cloud to rely on Okta using OpenID Connect (OIDC) as its external identity provider. Imply Cloud can then makes user authentication and authorization decisions based on the user identity data in Okta.
Configuring Okta OpenID Connect (OIDC) identity provider
The following procedures describe how to integrate Imply with OIDC in four steps:
- Step 1: Add the identity provider in the Imply auth console
- Step 2: Create the application in Okta
- Step 3: Configure Connect config settings in the Imply auth console
- Step 4: Add user role mappings
Before starting, make sure you are logged in as an administrator to both the Imply Cloud and Okta consoles. Setting up an identity provider in the Imply auth console requires User Manager role permissions.
Step 1: Add the identity provider in the Imply auth console
- Log in to the Imply auth console and click Identity Providers from the left menu.
- Open the Add provider menu, and choose Open ID Connect V1.0.
- For the Alias, enter a unique alias for this identity provider. Notice that the alias appears in the Redirect URI path, which you will use in the next step to add an application for Imply in Okta:
- Optionally, choose the login flog and post login flows. By default, the first login flow uses
first broker login. For details, see configuring authentication flow.
You will return to complete the identity provider configuration in the Imply auth console, but next switch to the Okta configuration console as described in the following step.
Step 2: Create the application in Okta
As an Okta administrator, create an application for Imply Cloud in the Okta administration console as follows.
- From the Okta home page, create a new application:
- Click the Admin button at the right side of the top menu.
- Click Applications from the left navigation tree.
- Click Add Application.
- In the Create a New Application Integration dialog:
- Choose Web from the Platform menu.
- For the Sign-on method, select OIDC - OpenID Connect.
- Click Create.
- Accept the default client credentials generated by Okta or enter new ones.
- In the General Settings, ensure that the Authorization code and Allow ID Token with implicit grant type are enabled, as shown:
- In the Login section, enter the redirect URI from the Imply Identity provider that you configured in the previous step. Enter the URI for both the sign in and sign out URIs, in the form shown:
- From the General settings page, copy the Okta domain to use in the next step.
Note that you will also need the client credentials, so keep both consoles open.
- Complete the steps in the Okta application integration wizard, including assigning the app to users.
Step 3: Configure the Connect Config settings
Back in the identity provider settings in the Imply auth console, complete the configuration as follows:
In the OpenID Connect Config section of your new identity provider configuration, paste the Okta domain into the Authorization URL field, adding the authorize URL,
/oauth2/default/v1/authorize, as shown in the following example:
Be sure to replace
<org_name>with the subdomain of your realm.
Similarly, for the Token URL, add the domain and path you just used, but replacing
For the Logout URL, use
logoutin the path:
In the Client Authentication settings, choose Client secret sent as basic auth.
Copy the client ID and client secret from the client credentials section in the Okta UI, and paste the values into the Client ID and Client Secret sections.
For the Issuer, enter the following
The other settings may remain at their default settings, for most configurations. Your configuration should look similar to the following:
You should now be able to access Imply Cloud with an authenticated session. However, in most cases, you will want to map user attributes to roles in Imply, as described in the next step.
Step 4: Add user role mappings
After adding a identity provider configuration, you can map user attributes derived from the identity provider to roles in Imply.
Before configuring mappers, you must also set up user roles, since you'll be mapping claims from Okta to those roles. Also, you should configure Okta to add a Groups claim to tokens via an authorization server. For details, see the Okta documentation on customizing tokens with a group claim.
To add a mapper, follow these steps:
- Click the Mappers tab in the Identity Provider settings page and then click Create.
- In the mapper configuration, enter a name for the mapper.
- For the Sync Mode Override, choose from these options:
- Choose import to import data only from when the user was first created at first login.
- Choose force to update user data at each user login.
- Choose inherit to use the sync mode configured in the identity provider, all other options will override this sync mode.
- For Mapper Type, choose Claim to Role.
- For the Claim, enter the name of the claim as it appears in the OIDC token. For nested claims, use dot-delimited claim names, such as
- For the Claim Value, enter the value of the claim you entered that should be mapped to the Imply role.
- For the Role, click Select Role and choose the Imply role to which you want to map this claim. Your configuration should look something like:
As shown, this mapper assigns users who have
Engineering Teamas the value for the
groupsclaim to the Client admin role in Imply, giving them permissions to perform cluster operations in the Imply Manager. Add additional mappings for other roles you want to assign, such as a role for Analysts who can view and create dashboards and alerts but cannot perform actions upon clusters.
- Click Save.
Users can now log in to Imply Cloud with authenticated Okta sessions.