To enable Imply Hybrid (formerly Imply Cloud) Auth for your organization, contact your Imply account representative.
This topic describes how to configure Imply Hybrid to rely on Okta with OpenID Connect (OIDC) as an external identity provider.
Configuring Okta OpenID Connect (OIDC) identity provider
The general flow for configuring an Okta OIDC identity provider is as follows:
The following steps ensure that your users can login to Imply with Okta:
- Set up the Imply application in Okta for Imply.
- Export the identity provider metadata document. The document includes the issuer's name, expiration, and keys to validate responses from the identity provider.
- Import the configuration into the Imply Hybrid Auth.
The following steps ensure that your users are authorized to access certain assets in Imply:
- Create groups (if not already present) in Okta to reflect usage in Imply.
- Create composite roles in Imply that will map to the groups created in Step 1.
- Create mappers in Imply to associate groups to composite roles.
Before starting, make sure you are logged in as an administrator to both the Imply Hybrid and Okta consoles. Setting up an identity provider in the user management console requires User Manager role permissions.
Step 1: Add the identity provider in the console
- Log in to the Imply user management console.
- Click Identity Providers from the left menu.
- Open the Add provider menu, and choose Open ID Connect v1.0.
- For the Alias, enter a unique alias for this identity provider. Notice that the alias appears in the Redirect URI path, which you will use in the next step to add an application for Imply in Okta. This will also be the label of the button in the login screen.
- Optionally, choose the first login flow and post login flows. By default, the first login flow uses
first broker login. For details, see Configuring authentication flows.
You will return to complete the identity provider configuration in the Imply Hybrid Auth console, but next switch to the Okta configuration console as described in the following step.
Step 2: Create the application in Okta
As an Okta administrator, create an application for Imply Hybrid in the Okta administration console as follows.
From the Okta home page, create a new application:
- Click the Admin button at the right side of the top menu.
- Click Applications from the left navigation tree.
- Click Add Application.
In the Create a New Application Integration dialog:
- Choose Web from the Platform menu.
- For the Sign-on method, select OIDC - OpenID Connect.
- Click Create.
Accept the default client credentials generated by Okta or enter new ones.
In the General Settings, ensure that the Authorization code and Allow ID Token with implicit grant type are enabled, as shown:
In the Login section, enter the redirect URI from the Imply Identity provider that you configured in the previous step. Enter the URI for both the sign in and sign out URIs, in the form shown:
From the General settings page, copy the Okta domain to use in the next step.
Note that you will also need the client credentials, so keep both consoles open.
Complete the steps in the Okta application integration wizard, including assigning the app to users.
Step 3: Configure the Connect Config settings
From the user management console, navigate to the identity provider settings and complete the configuration as follows:
In the OpenID Connect Config section of your new identity provider configuration, paste the Okta domain into the Authorization URL field, adding the authorize URL,
/oauth2/default/v1/authorize, as shown in the following example:
Be sure to replace
<org_name>with the subdomain of your realm.
Similarly, for the Token URL, add the domain and path you just used, but replacing
For the Logout URL, use
logoutin the path:
In the Environment Authentication settings, choose Environment secret sent as basic auth.
Copy the client ID and client secret from the client credentials section in the Okta UI, and paste the values into the Environment ID and Environment Secret fields of the OpenID Connect Config.
For the Issuer, enter the following:
The other settings may remain at their default settings, for most configurations. Your configuration should look similar to the following:
You should now be able to access Imply Hybrid with an authenticated session. However, in most cases, you will want to map user attributes to roles in Imply, as described in the next step.
Step 4: Add user role mappings
Mappers associate user properties from the identity provider to roles in Imply. Before configuring mappers, you must set up user roles, since you will map claims from Okta to those roles.
You should also verify that you have the user claims that make sense to map to roles in Imply. You may need to create those properties for the purpose, if they don't already exist. To create claims in Okta, see Create Claims.
To add a mapper, follow these steps:
- Click the Mappers tab in the Identity Provider settings page and then click Create.
- In the mapper configuration, enter a name for the mapper.
- For the Sync Mode Override, choose from these options:
- Choose import to import data only from when the user was first created at first login.
- Choose force to update user data at each user login.
- Choose inherit to use the sync mode configured in the identity provider, all other options will override this sync mode.
- For Mapper Type, choose Claim to Role.
- For the Claim, enter the name of the claim as it appears in the OIDC token. For nested claims, use dot-delimited claim names, such as
- For the Claim Value, enter the value of the claim you entered that should be mapped to the Imply role.
- For the Role, click Select Role and choose the Imply role to which you want to map this claim. Your configuration should look something like:
As shown, this mapper assigns users who have
Engineering Teamas the value for the
groupsclaim to the Client admin role in Imply, giving them permissions to perform cluster operations in the Imply Manager. Add additional mappings for other roles you want to assign, such as a role for Analysts who can view and create dashboards and alerts but cannot perform actions upon clusters.
- Click Save.
Users can now log in to Imply Hybrid with authenticated Okta sessions.