Overview:
This is a step-by-step guide on how to set up an Okta OpenID Connect profile for a Single Sign On (SSO) integration.
Prerequisites:
This integration has some prerequisites that need to be met prior to implementation.
- An Okta developer account
- Domain Admin access in the target Vault
- SAML SSO integration already implemented within target Vault
Step # | Description of Action | Expected Result |
1 | Log into Okta as an Okta Administrator | Log into Okta is successful. |
2 |
Expand the Security dropdown in the menu bar on the left-hand side of the screen and select the API |
API screen is presented. |
3 |
Click on the + Add Authorization Server button in the API screen. |
Add Authorization Server dialog box is presented. |
4 |
In the Add Authorization Server dialog box, populate the following values:
Click Save. |
The newly created Authorization server is presented. |
5 |
Record the Metadata URI externally. Within the URI, replace “oauth-authorization-server” with “openid-configuration” |
The Metadata URI is updated and recorded. |
6 |
Click the Access Policytab on the Authorization Server record. |
The Access Policy screen is presented. |
7 |
Click the Add New Access Policy button. |
The Add Policy dialogue box appears. |
8 |
Populate the following information:
Leave all other fields in the default value.
Click Create Policy. |
A new Access Policy is created. |
9 |
Click the Add Rule button in the newly created Access Policy. |
The Add Rule dialogue box appears |
10 |
Populate the following values:
Leave all fields in their default values Click Create rule. |
A new Rule record appears in the rule section. |
11 |
Expand the Applications dropdown in the menu bar on the left-hand side of the screen and select the Applications |
Applications screen is presented. |
12 |
Click on the Create App Integration button in the Applications screen. |
Create a new app integration dialog is presented. |
13 |
In the Create a new app integration dialog box, make the following selections:
Click Next. |
The New Native App Integration screen is presented. |
14 |
In the New Native App Integration screen, update the fields with the following information:
Click Save. |
The newly created Application is presented. |
15 |
In the General Settings section, click Edit and deselect the Require consent checkbox.
Click Save.
Record the Client ID. |
The Application is updated. |
16 |
Log in to Vault as the Domain Admin user. |
Log in to Vault is successful. |
17 |
Navigate to Admin>Settings>OAuth 2.0 / OpenID Connect Profiles. |
OAuth 2.0 / OpenID Connect Profiles screen is presented. |
18 |
Click the + Create button. |
Create OAuth 2.0 / OpenID Connect Profiles screen is presented. |
19 |
Populate the following: Label: Okta OAuth Status: Active Click Upload AS Metadata
Authorization Server Provider: Okta User ID Type: Federated ID Uncheck Perform strict Audience Restriction validation Click the Save button. |
The newly created OAuth 2.0 / OpenID Connect Profile is presented. |
20 |
Under the Client Applications section, click + Add |
A New Client Application dialog box appears. |
21 |
Populate the following:
Application Label: Vault Mobile Application Client ID: vaultmobile Authorization Server Client ID: Insert previously recorded Client ID
Click OK. |
A new Client Application record appears in the Client Applications section
|
22 |
Navigate to the Security Policies section. |
The Security Policies screen is presented. |
23 |
Click on the Okta security policy. |
The selected Security Policy screen is presented. |
24 |
Click the Edit button and populate the following:
Click Save. |
The Security Policy is updated. |
25 |
Log out of Vault. |
Log out of Vault is successful. |