Okta OIDC integration
To enable Imply Hybrid (formerly Imply Cloud) Auth for your organization, contact your Imply account representative.
This topic describes how to configure Imply Hybrid to use Okta with OpenID Connect (OIDC) as an external identity provider.
Configure an Okta OIDC identity provider
The general flow for configuring an Okta OIDC identity provider is as follows:
Authentication
The following steps ensure that your users can login to Imply with Okta:
- Set up an application in Okta for Imply.
- Export the identity provider metadata document. This document includes the issuer's name, expiration, and keys to validate responses from the identity provider.
- Import the configuration into Imply Hybrid Auth.
Authorization
The following steps ensure that your users can access certain assets in Imply:
- Create groups in Okta, if not already present, to reflect usage in Imply.
- Create composite roles in Imply that will map to the groups created in the previous step.
- Create mappers in Imply to associate groups to composite roles.
Before you begin, make sure you are logged in as an administrator to both the Imply Hybrid and Okta consoles. Setting up an identity provider in the user management console requires User Manager role permissions.
Step 1: Add an identity provider
- Log in to the Imply user management console.
- Click Identity Providers from the left menu.
- Open the Add provider menu, and choose Open ID Connect v1.0.
- Alias: Enter a unique alias for this identity provider. Notice that the alias appears in the Redirect URI path, which you will use in the next step to add an application for Imply in Okta. This will also be the label of the button in the login screen.
- Optionally, choose the first login flow and post login flows. By default, the first login flow uses
first broker login
. For details, see Configuring authentication flows.
Step 2: Create an application in Okta
Log in to the Okta administration console as an administrator and follow these steps to create an application for Imply Hybrid.
From the Okta home page, create a new application:
- Click Admin.
- Click Applications from the left navigation tree.
- Click Add Application.
In the Create a New Application Integration dialog:
- Choose Web from the Platform menu.
- Sign-on method: Select OIDC - OpenID Connect.
- Click Create.
General Settings: Enable Authorization code and Allow ID Token with implicit grant type, as shown in the following screenshot:
In the Login section, enter the redirect URI from the previous step for both the sign-in and sign-out redirect URIs, as shown in the following screenshot:
On the General Settings page, copy the Okta domain to use in the next step.
Note that you will also need the client credentials, so keep both consoles open.
Complete the steps in the Okta application integration wizard, including assigning the app to users.
Step 3: Configure the OIDC settings
From the Imply user management console, navigate to the identity provider settings and complete the configuration as follows. Replace the ORGANIZATION_NAME
placeholder with the subdomain of your realm.
Authorization URL: Enter the authorization URL:
https://ORGANIZATION_NAME.okta.com/oauth2/default/v1/authorize
Token URL: Enter the token URL:
https://ORGANIZATION_NAME.okta.com/oauth2/default/v1/token
Logout URL: Enter the logout URL:
https://ORGANIZATION_NAME.okta.com/oauth2/default/v1/logout
In the Environment Authentication settings, choose Environment secret sent as basic auth.
Copy the client ID and client secret from the client credentials section in the Okta UI, and paste the values into the Environment ID and Environment Secret fields of the OpenID Connect Config.
Issuer: Enter the following URL:
https://ORGANIZATION_NAME.okta.com/oauth2/default
You can use default values for the rest of the settings. Your configuration should look similar to the following:
Click Save.
You should now be able to access Imply Hybrid with an authenticated session. However, in most cases, you will want to map user attributes to roles in Imply, as described in the next step.
Step 4: Add user role mappings
Mappers associate user properties from the identity provider to roles in Imply. Before configuring mappers, determine which Imply roles should be mapped to the Okta claims. You may need to create those properties for the purpose, if they don't already exist. To create claims in Okta, see Create Claims.
To add a mapper, follow these steps:
Click the Mappers tab in the Identity Provider settings page and then click Create.
In the mapper configuration, enter a name for the mapper.
For Sync Mode Override, choose from these options:
- Import: Import data only from when Imply created the user at first login.
- Force: Update user data at each login.
- Inherit: Use the sync mode configured in the identity provider. All other options override this sync mode.
Mapper Type: Choose Claim to Role.
Claim: Enter the name of the claim as it appears in the OIDC token. For nested claims, use dot-delimited claim names, such as
admin.clusters
.Claim Value: Enter the value of the claim, to map to the Imply role.
Role: Enter the Imply role you want to map this claim to.
The following screenshot shows a sample configuration that maps the
groups
claim to the Client Admin role in Imply:Click Save. Users can now log in to Imply Hybrid with authenticated Okta sessions.