Skip to main content
Version: latest

Enable SSO with Okta OIDC

Single Sign-On (SSO) is an authentication method that enables users to log in to multiple applications and websites with one set of credentials. SSO uses certificates to establish and maintain a trust relationship between the Service Provider (SP) and an Identity Provider (IdP). Palette supports SSO based on either the Security Assertion Markup Language (SAML) or OpenID Connect (OIDC).

The following steps will guide you on how to enable Palette SSO with Okta Workforce Identity Cloud based on OIDC.

Prerequisites

  • For Okta OIDC to work correctly with Palette, you must enable HTTPS and configure TLS.

  • You need to have either a free or paid subscription with Okta. Okta provides free developer subscriptions for testing purposes.

  • If you want to use the same Okta application for OIDC-based SSO into your Kubernetes cluster itself, you need to install kubelogin on your local workstation to handle retrieval of access tokens for your cluster.

  • Palette requires the following claims to be present in the OIDC token:

    Claim NameDefault ValueDescription
    EmailemailThe user's email address.
    First Namegiven_nameThe user's first name.
    Last Namefamily_nameThe user's last name.
    Spectro TeamgroupsThe user's group memberships in the Identity Provider.

    Change the claim names in your IdP if they are different from the default values. If the OIDC token does not contain these claims, toggle the Use userinfo endpoint option in the OIDC configuration to allow Palette to fetch the missing claims from the user information endpoint.

Okta with OIDC

Create the Okta Application

  1. Log in to your Okta Admin console and navigate to Applications --> Applications. Click the Create App Integration button.

    info

    Your Okta login URL has the following format, https://{your-okta-account-id}-admin.okta.com/admin/getting-started. Replace {your-okta-account-id} with your Okta account ID.

  2. In the screen that opens, select OIDC - OpenID Connect` for the sign-in method, then select Web Application for the application type. Then click Next.

  3. The following screen allows you to configure the new Web App Integration. On the App integration name field, change the name from My Web App to Spectro Cloud Palette OIDC. If desired, you can also upload a logo for the application. Leave the Grant type to its default value - Authorization Code.

    Configure General Settings

  4. Open a web browser and navigate to your Palette subscription. Navigate to Tenant Settings --> SSO and click OIDC. Click the button next to Callback URL to copy the value to the clipboard.

    Copy Callback URL

  5. Switch back to your Okta Admin console and paste the copied value into the Sign-in redirect URIs field, replacing the existing value:

    Paste Redirect URI

  6. Switch back to Palette in the web browser and click the button next to Logout URL to copy the value to the clipboard.

  7. Switch back to your Okta Admin console and paste the copied value into the Redirect URI field, then click Add to add it to the list:

    Paste Logout URI

  8. These two redirect URIs are required for SSO to work with Palette. You can also add additional redirect URIs. The URIs in the table below are useful when you want to use Okta for OIDC authentication into your Kubernetes clusters.

    URLType of Access
    http://localhost:8000Using kubectl with the kube-login plugin from a workstation.
    https://console.spectrocloud.com/v1/shelly/oidc/callbackUsing the web-based kubectl console.
    https://<fqdn_of_k8s_dashboard>/oauth/callbackUsing OIDC authentication into Kubernetes Dashboard.
  9. When you have completed entering redirect URIs, scroll down to the Assignments section and section and select Allow everyone in your organization to access. Leave the Enable immediate access with Federation Broker Mode option enabled and click Save.

    Configure Assignments

  10. You have now created the Okta Application! Next, you need to retrieve the Client ID and Client Secret information, which you will use in the following steps. You should have landed on the General tab of your Okta Application. Click the Copy to clipboard button next to the Client ID to copy the secret value and save it somewhere. You will need this value for later.

    Copy Client ID

  11. Click the Copy to clipboard button next to the Client Secret to copy the secret value and save it. You will need this value for a later step.

    Copy Shared Secret

Create an Okta Authorization Server

To ensure Okta issues OIDC tokens with the correct claims, you must create a custom Authorization Server. A custom Authorization Server is required to customize the authorization tokens issued by Okta so that they contain the necessary OIDC claims required by Palette and Kubernetes.

  1. Navigate to Security --> API and on the Authorization Servers tab and click Add Authorization Server.

    Add Authorization Server

  2. Enter a name for the server, for example Palette OIDC. For the Audience field, enter the client identifier that you saved in step 10. Optionally provide a description. Then click Save.

    Name Authorization Server

  3. Navigate to the Claims tab and click Add Claim.

    Add Claims

  4. Enter the required information from the following tables below and click Create. Use this flow to create three claims in total. First, create two claims for the user information.

    Claim NameInclude in token typeValue TypeValueDisable claimInclude In
    u_first_nameID Token (Always)Expressionuser.firstNameUncheckedAny scope
    u_last_nameID Token (Always)Expressionuser.lastNameUncheckedAny scope
  5. Next, create a claim for group membership. The example below will include the names of any groups that the Okta user is a member of, that start with palette-, in the groups claim of the ticket. For Palette SSO, Palette will make the user a member of Teams in Palette that have the identical name.

    Claim NameInclude in token typeValue TypeFilterDisable claimInclude In
    groupsID Token (Always)GroupsStarts with: palette-UncheckedAny scope

    Claims Result

  6. Click on <-- Back to Authorization Servers at the top of the page to navigate back to the list of all servers. The authorization server you created is displayed in the list. Select the Issuer URI shown and copy it to the clipboard. Save this value as you will use it in a later step.

    Get Issuer URI

  7. Navigate to the Access Policies tab and click Add Policy.

    Add Access Policy

  8. Set the Name and Description fields to Palette, then change the Assign to option to the Okta Application you created in step three -Spectro Cloud Palette OIDC. Type in the first few characters of the application name and wait for a search result to come up that you can click on.

    Name Access Policy

  9. Click the Add rule button to add a rule to this Access Policy:

    Add Policy Rule

  10. Set the Rule Name to AuthCode. Then deselect all Grant types but one, only leaving Authorization Code selected. Then click Create Rule.

    Configure Policy Rule

You have now completed all configuration steps in Okta.

Enable OIDC SSO in Palette

  1. Open a web browser and navigate to your Palette subscription. From the left Main Menu, select Tenant Settings and click on SSO. Next click on OIDC. Enter the following information.

    ParameterValue
    Issuer URLThe Issuer URI that you saved in step 15.
    Client IDThe client identifier that you saved in step 10.
    Client SecretThe shared secret that you generated in step 11.
    Default TeamsLeave blank if you don't want users without group claims to be assigned to a default group. If you do, enter the desired default group name. If you use this option, be careful with how much access you assign to the group.
    ScopesKeep openid, profile and email as the default.
    EmailKeep email as the default.
    First NameSet this to u_first_name.
    Last NameSet this to u_last_name.
    Spectro TeamKeep groups as the default.

Enable Palette OIDC SSO

  1. When all the information has been entered, click Enable to activate SSO. You will receive a message stating OIDC configured successfully.

Create Teams in Palette

The remaining step is to create teams in Palette for the group that you allowed to be passed in the OIDC ticket in Okta, and give them the appropriate permissions. For this example, you will create the palette-tenant-admins team and give it Tenant Admin permissions. You can repeat this for any other team that you have a matching Okta group for.

  1. Open a web browser and navigate to your Palette subscription. Navigate to Tenant Settings --> Users & Teams --> Teams tab, and click + Create Team.

    Create Palette Team

  2. Specify palette-tenant-admins in the Team name field. You don't need to set any members now, as this will happen automatically from the SSO. Click Confirm to create the team.

    Name Palette Team

  3. The list of teams displays again. Select the newly created palette-tenant-admins team to review its details. To give this team administrative access to the entire tenant and all the projects in it, assign the Tenant Admin role. Select Tenant Roles and click + Add Tenant Role:

    Palette Tenant Roles

  4. Click on Tenant Admin to enable the role. Click Confirm to add the role.

    Add Tenant Role

    You will receive a message stating Roles have been updated. Repeat this procedure for any other teams while ensuring they are given the appropriate access permissions.

  5. Click the X next to Team Details in the top left corner to exit this screen.

You have now successfully configured Palette SSO based on OIDC with Okta.

Validate

  1. Log in to Palette through SSO as a user that is a member of the palette-tenant-admins group in Okta to verify that users are automatically added to the palette-tenant-admins group in Palette. If you're still logged into Palette with a non-SSO user, log out by selecting Logout in the User Drop-down Menu at the top right.

    User Logout

  2. The Palette login screen now displays a Sign in button and no longer presents a username and password field. Below the Sign In button, there is an SSO issues? --> Use your password link. This link can be used to bypass SSO and log in with a local Palette account in case there is an issue with SSO and you need to access Palette without SSO. Click on the Sign in button to log in via SSO.

    User SSO Login

  3. If this is the first time you are logging in with SSO, you will be redirected to the Okta login page. Depending on your organization's SSO settings, this could be a simple login form or require MFA (Multi-Factor Authentication).

    info

    Make sure you log in as a user that is a member of the palette-tenant-admins group in Okta. Once authenticated, you will automatically be redirected back to Palette and logged into Palette as that user.

  4. You are now automatically added to the palette-tenant-admins team in Palette. To verify, navigate to the left Main Menu, select Tenant Settings --> Users & Teams --> Teams tab. Click the palette-tenant-admins team and view the team members section.

Resources