Skip to main content

Okta

  1. Create A New App In Okta

    The first step is to create a new Okta App for vCluster.Pro.

    Create App for vCluster.Pro
    Okta - Create a new App in Okta

    Next select "Web" App and make sure OpenID Connect is the single sign on method.

    Create App for vCluster.Pro
    Okta - Web App with OpenID Connect as single sign on method

    In the next screen make sure the login redirect URIs contain your vCluster.Pro instance domain:

    # Exchange the ${my-loft-domain.com} with your vCluster.Pro domain
    https://${my-loft-domain.com}/auth/oidc/callback
    Create App for vCluster.Pro
    Okta - The App settings for vCluster.Pro
  2. Enable Refresh Tokens

    After creating an Okta app for vCluster.Pro, ensure that "Refresh Token" is checked under "Allowed grant types" - otherwise your users will have to re-login everytime after a session expires.

    Create App for vCluster.Pro
    Okta - App Settings: Enable Refresh Tokens
  3. Enable Group Claims

    If you want to propagate the users groups to vCluster.Pro, then make sure the Group Filters in Okta are set accordingly. If you want to propagate all groups, add a RegEx filter with '.*'

    Okta Assign Peoples
    Okta - Propagate User Groups To vCluster.Pro
  4. Configure vCluster.Pro To Use Okta

    Create App for vCluster.Pro
    Okta - Client ID and Secret For App

    After configuring Okta for vCluster.Pro, navigate to Admin > Config in vCluster.Pro and enter the following configuration:

    auth:
    oidc:
    issuerUrl: "https://${MY-OKTA-SUBDOMAIN}.okta.com"
    clientId: CLIENT_ID
    clientSecret: CLIENT_SECRET
    groupsClaim: groups
    # This is needed because okta uses thin id tokens
    # that do not contain the groups directly
    getUserInfo: true
    Okta Assign Peoples
    vCluster.Pro - Configure vCluster.Pro To Use Okta
  5. Add Users via Okta Assigments

    Please make also sure that you have assigned the correct Users and Groups that you would like to access vCluster.Pro in Okta.

    Okta Assign Peoples
    Okta - Assign Users & Groups To vCluster.Pro

    After users or their groups are assigned to vCluster.Pro, they will be able to log in via Okta:

    Okta Assign Peoples
    vCluster.Pro - SSO via Okta
  6. Disable Username + Password Authentication (optional)

    To disable password-based authentication, navigate to Admin > Config add these two lines to your config:

    auth:
    oidc: ... # This is your SSO configuration (make sure this is working!)
    password:
    disabled: true # Disable password-based authentication