Okta
This page explains how to use Okta as the identity provider (IdP) to manage access to API Portals.
Introduction
You can use Okta as an IdP for Traefik Hub.
Okta is an identity and access management (IAM) service that provides authentication and authorization.
Once Okta is enabled and successful configured in the dashboard, Traefik Hub will synchronize user and groups from Okta into Traefik Hub.
After the first initial sync, Traefik Hub will sync once an hour with Okta.
When authenticating to the API Portal, the user is matched against the latest known synchronization point in the Traefik Hub database.
Traefik Hub will not list automatically all users after synchronization. Users will be only listed after a first successful login into Traefik Hub.
Shared Data Between Traefik Hub and Okta
The following data is shared between Traefik Hub and Okta:
- Organization URL: URL of your Okta organization.
- Issuer URL: The full URL of the Okta authorization server.
- Token Okta API token: Used to authenticate requests to Okta APIs (encrypted).
- Users and Groups: Configured in the Okta instance settings.
Before You Begin
If you replace your Traefik Hub internal IdP with an external IdP, all users, user groups, and tokens created by the internal IdP will be deleted.
This action is irreversible!
This article assumes that you already have a configured Okta tenant.
Configuration
Once you configured your Okta account settings, Traefik Hub will automatically create an integration application in Okta and will sync your groups from Okta to Traefik Hub.
Users will only be listed in Traefik Hub after a successful login into an API Portal.
First, select Auth settings in the left navigation menu to get to the IdP overview page in the dashboard, then select Okta as an external IdP.
In the next step, configure your Okta settings, the URL of your Okta organization, the full URL of your Okta authorization server and the token.
Field | Description | Required |
---|---|---|
Organization URL | URL of your Okta organization. Typical the org URL is the tenant name (the subdomain), and then the domain name. For example, https://my-org.okta.com | Yes |
Issuer URL | The full URL of the Okta authorization server. For example, http://my-org.okta.com/oauth2/pquz96guaw5Yoi6Qcc586 You can find more info about authorization servers in the Okta documentation | Yes |
Token | Okta API token, used to authenticate requests to Okta APIs. | Yes |
Once you're done, you can test your configuration by selecting Test connection.
If the connection is working, save your configuration by selecting Save.
In the last step, you have to confirm the configuration changes.
Please make sure to read the displayed message and follow the needed steps for confirmation!
If you already have users and groups configured, these accounts and all related user data, including tokens, will be deleted from Traefik Hub.
Please do not try to change your configuration during the synchronization process!
Traefik Hub will sync with your Okta tenant immediately after confirming your configuration.
From then on, Traefik Hub is configured to use Okta as its IdP.
The user overview page in the dashboard will not automatically show all users. Users will only be listed after a successful login into an API Portal.
Synchronization
Traefik Hub will automatically sync every 60 minutes with your Okta tenant. After a first successful synchronization, you can initiate a sync at any time by selecting the Synchronize button.
Login with Okta
Head over to your API Portal and login with Okta.
Related Content
- Learn how to use JWT for API requests in the API Portal.