SSO - Okta

Objective

This document provides instructions on how to configure Okta Single Sign-on (SSO) integration to F5® Distributed Cloud Services for your enterprise account. For an overview of F5® Distributed Cloud Console, see About.

Note: SSO setup requires you to be of the tenant owner type user. Navigate to General > IAM > Users. Select on the Show/hide column, select the Type field, and select Apply to display the Type column. For the tenant owner, the Type column displays Tenant Owner and others, it displays User.

Prerequisites

The following prerequisites apply:

A valid Enterprise account.

Note: If you do not have an account, see Create an Account.

Okta Account.
A configured identity provider such as Google.

Configuration Steps

Configuring SSO using Okta in F5® Distributed Cloud Console includes performing the following actions:

Configure the OIDC authentication application in Okta.
Enable SSO using Okta in the Console.

Configure OIDC Authentication Application in Okta

Configuring OIDC authentication application in Okta includes creating an identity provider type and an application for your SSO in Okta. Also, it requires whitelisting the redirect URI in your identity provider.

This example shows configuring Okta with Google as the identity provider.

Note: Creating OAuth credentials in Google is required for this step. For more information, see SSO-Google guide.

Perform the following actions to configure the OIDC app in Okta:

Note: Skip to step 4 if you have Okta user accounts created.

Step 1: Log into Okta and start new identity provider configuration.

Log into Okta portal with your administrator access.
Select Admin, if available.

Figure: Okta Login View

Select Security > Identity Providers.

Figure: New Identity Creation

Select + Add Identity Provider button.
Select Add Google in Add Identity Provider drop-down menu.

Figure: Select Google As the Identity Provider

Step 2: Obtain the OAuth information from the identity provider and add to the Okta identity provider configuration.

Obtain the OAuth details from the identity provider.
Add the details in the GENERAL SETTINGS of the Okta identity provider configuration.

Note: This example sets name, client ID, and client secret obtained from Google OAuth settings.

Figure: Identity Provider Client and Secret Settings

Select Add Identity Provider button.
Copy URL in Redirect URI box.

Step 3: Add the redirect URI to the white list of the identity provider OAuth client configuration.

This example shows adding redirect URI to the Google client ID configuration:

Log into Google credentials app.
Select client ID configuration.
Enter redirect URI obtained in previous step in Authorized redirect URIs box.

Figure: Redirect URI Option in Google

Figure: Redirect URI Addition to Google

Select Save.

Note: Above steps assumes Okta account is ready and user can login. If your Okta account needs integration with other identity providers, or if Okta is being used as broker, admin can refer at Okta Integration Guide or OpenID Connect for (SAML) to connect to external identity providers.

Step 4: Create application for SSO in Okta.

Select Applications > Applications.
Select Create App Integration button.

Figure: User Assignment

Select OICD - Open ID Connect in Sign-in method section.

Note: App section appears below when Sign-in method selection is made.

Select Web Application in Application Type section.
Select Next button.

Figure: OIDC Integration Creation

Enter an application name.
Enter URL in Login redirect URIs box.
Select Save.

Note: The application gets created.

Figure: OIDC Integration Creation

Select General settings tab of created application.
Scroll down to Client Credentials box.
Note down the values of the Client ID and Client secret boxes.

Figure: Client ID and Secret Values

Obtain the well-known URL for your Okta account.

Note: The following is an example well-known URL for Okta where the vesvolterraus represents the subdomain part for a sample account.

https://vesvolterraus.okta.com/.well-known/openid-configuration

Note: The client ID, client secret, and well-known URL fields are required in SSO configuration in F5® Distributed Cloud Console.

Step 5: Configure user and group settings in Okta.

Select Security > Identity Providers.
Select the Routing Rules tab.
Select Add Routing Rule and configure rules for users.
Select the identity provider you created in the THEN field.
Select Create Rule button.
Select Activate rule in pop-up window.

Figure: Rule Creation

Optionally, specify users and groups for which Okta-based SSO needs to be enabled. Perform the following:
- Select Applications > Applications.
- Select Assign Users to App button.
  
  Figure: User Assignment
- Check box in Applications options as needed.
- Check box in People options as needed.
  
  Figure: User Assignment
- Select Next button.
- Complete setup process.

Enable SSO Using Okta in Console

Step 1: Start SSO setup in the F5 Distributed Cloud Console.

Features can be viewed, and managed in multiple services.

This example shows SSO setup in Administration.

Open F5 Distributed Cloud Console homepage, select Administration box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Figure: Homepage

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

Select Tenant Settings in left column menu > select Tenant Options.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

Select Set up SSO button.

Figure: SSO

Select Okta in Please choose a service Provider in pop-up window.
Select Continue button.

Step 2: Configure clients identity.

In the Create Clients ID screen, configure client ID and client secret.

Figure: SSO Create Clients ID

Enter the client ID and secret obtained in Step 4 of the Configure OIDC Authentication Application in Okta chapter in the Client ID and Client Secret fields respectively.
Enter the well-known URL obtained in Step 4 of the Configure OIDC Authentication Application in Okta chapter in the Import from well-known URL field.
Selection Import. The fields such as Authorization URL and Token URL get populated.
Select Continue button.

Step 3: Copy Redirect URL.

Copy the displayed values of the Redirect URL field in the Redirect URI screen.

Note: This is used in next step.

Select Done.

Figure: Redirect URL

Step 4: Add Redirect URL in Okta Application Settings.

Log into Okta, open General tab of your application settings.
Select Edit.

Figure: Okta Application General Settings
Navigate to LOGIN section in, enter the redirect URL copied in previous step to the Login redirect URIs box.
Add the value of call back url to Initiate login URI box.

Note: You can obtain this from the settings of your identity provider by navigating to Security > Identity Providers.

Save the settings.

Note: The field Logout redirect URIs gets automatically populated.

Step 5: Complete SSO Setup.

Log out of F5 Distributed Cloud Console.

Note: The subsequent logins get serviced through Okta.

Concepts

API References

OIDC Provider