SSO - Okta

Objective

This document provides instructions on how to configure Okta Single Sign-on (SSO) integration to F5® Distributed Cloud Services for your enterprise account. For an overview of F5® Distributed Cloud Console, see About.

Note: SSO setup requires you to be of the tenant owner type user. Navigate to General > IAM > Users. Select on the Show/hide column, select the Type field, and select Apply to display the Type column. For the tenant owner, the Type column displays Tenant Owner and others, it displays User.


Prerequisites

The following prerequisites apply:

  • Okta Account

  • A configured identity provider such as Google


Configuration Steps

Configuring SSO using Okta in F5® Distributed Cloud Console includes performing the following actions:

  • Configure the OIDC authentication application in Okta.

  • Enable SSO using Okta in the Console.

Configure OIDC Authentication Application in Okta

Configuring OIDC authentication application in Okta includes creating an identity provider type and an application for your SSO in Okta. Also, it requires whitelisting the redirect URI in your identity provider.

This example shows configuring Okta with Google as the identity provider.

Note: Creating OAuth credentials in Google is required for this step. For more information, see SSO-Google guide.

Perform the following actions to configure the OIDC app in Okta:

Note: Skip to step 4 if you have Okta user accounts created.

Step 1: Log into Okta and start new identity provider configuration.
  • Log into Okta portal with your administrator access.

  • Select Admin, if available.

OKTA1 1B
Figure: Okta Login View

  • Select Security > Identity Providers.

OKTA IDENTITY2 2
Figure: New Identity Creation

  • Select + Add Identity Provider button.

  • Select Add Google in Add Identity Provider drop-down menu.

OKTA ADDGOOGLE3 2
Figure: Select Google As the Identity Provider

Step 2: Obtain the OAuth information from the identity provider and add to the Okta identity provider configuration.
  • Obtain the OAuth details from the identity provider.

  • Add the details in the GENERAL SETTINGS of the Okta identity provider configuration.

Note: This example sets name, client ID, and client secret obtained from Google OAuth settings.

OKTA IP GOOGLE2
Figure: Identity Provider Client and Secret Settings

  • Select Add Identity Provider button.

  • Copy URL in Redirect URI box.

Step 3: Add the redirect URI to the white list of the identity provider OAuth client configuration.

This example shows adding redirect URI to the Google client ID configuration:

  • Log into Google credentials app.

  • Select client ID configuration.

  • Enter redirect URI obtained in previous step in Authorized redirect URIs box.

google redir uris
Figure: Redirect URI Option in Google

g whitelist
Figure: Redirect URI Addition to Google

  • Select Save.

Note: Above steps assumes Okta account is ready and user can login. If your Okta account needs integration with other identity providers, or if Okta is being used as broker, admin can refer at [Okta Integration Guide] (https://developer.okta.com/docs/guides/add-an-external-idp/openidconnect/main) or [OpenID Connect] (https://developer.okta.com/docs/concepts/oauth-openid/) for (SAML) to connect to external identity providers.

Step 4: Create application for SSO in Okta.
  • Select Applications > Applications.

  • Select Create App Integration button.

OKTA ASSIGNUSERS7 2
Figure: User Assignment

  • Select OICD - Open ID Connect in Sign-in method section.

Note: App section appears below when Sign-in method selection is made.

  • Select Web Application in Application Type section.

  • Select Next button.

OKTA NEWAPP4 4
Figure: OIDC Integration Creation

  • Enter an application name.

  • Enter URL in Login redirect URIs box.

  • Select Save.

Note: The application gets created.

OKTA NEWAPP4 4 2
Figure: OIDC Integration Creation

  • Select General settings tab of created application.

  • Scroll down to Client Credentials box.

  • Note down the values of the Client ID and Client secret boxes.

okta copy clid secr
Figure: Client ID and Secret Values

  • Obtain the well-known URL for your Okta account.

Note: The following is an example well-known URL for Okta where the vesvolterraus represents the subdomain part for a sample account.

https://vesvolterraus.okta.com/.well-known/openid-configuration

Note: The client ID, client secret, and well-known URL fields are required in SSO configuration in F5® Distributed Cloud Console.

Step 5: Configure user and group settings in Okta.
  • Select Security > Identity Providers.

  • Select the Routing Rules tab.

  • Select Add Routing Rule and configure rules for users.

  • Select the identity provider you created in the THEN field.

  • Select Create Rule button.

  • Select Activate rule in pop-up window.

OKTA ROUTINGRULES5 2
Figure: Rule Creation

  • Optionally, specify users and groups for which Okta-based SSO needs to be enabled. Perform the following:

    • Select Applications > Applications.

    • Select Assign Users to App button.

      OKTA ASSIGNUSERS7 2
      Figure: User Assignment

    • Check box in Applications options as needed.

    • Check box in People options as needed.

      OKTA ASSIGN5 4 2
      Figure: User Assignment

    • Select Next button.

    • Complete setup process.


Enable SSO Using Okta in VoltConsole

Step 1: Start SSO setup in the F5® Distributed Cloud Console.

Features can be viewed, and managed in multiple services.

This example shows SSO setup in Administration.

  • Open F5® Distributed Cloud Console homepage, select Administration box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

NEW HOME PAGE C
Figure: Homepage

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • Select Tenant Settings in left column menu > select Tenant Options.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

  • Select Set up SSO button.

SSO 1
Figure: SSO

  • Select Okta in Please choose a service Provider in pop-up window.

  • Select Continue button.

Step 2: Configure clients identity.

In the Create Clients ID screen, configure client ID and client secret.

SSO OKTA
Figure: SSO Create Clients ID

  • Enter the client ID and secret obtained in Step 4 of the Configure OIDC Authentication Application in Okta chapter in the Client ID and Client Secret fields respectively.

  • Enter the well-known URL obtained in Step 4 of the Configure OIDC Authentication Application in Okta chapter in the Import from well-known URL field.

  • Selection Import. The fields such as Authorization URL and Token URL get populated.

  • Select Continue button.

Step 3: Copy the redirect URL.
  • Copy the displayed values of the Redirect URL field in the Redirect URI screen.

Note: This is used in next step.

  • Select Done.

SSO REDIRCTURL 3
Figure: Redirect URL

Step 4: Add the redirect URL in the Okta application settings.
  • Log into Okta, open General tab of your application settings.

  • Select Edit.

    okta app gen settings
    Figure: Okta Application General Settings

  • Navigate to LOGIN section in, enter the redirect URL copied in previous step to the Login redirect URIs box.

  • Add the value of call back url to Initiate login URI box.

Note: You can obtain this from the settings of your identity provider by navigating to Security > Identity Providers.

  • Save the settings.

Note: The field Logout redirect URIs gets automatically populated.

Step 5: Complete the SSO Setup.

Log out of the F5® Distributed Cloud Console.

Note: The subsequent logins get serviced through Okta.


Concepts


API References