Add Okta setup docs

2026-04-18 16:36:35 +00:00 · 2023-05-29 15:46:29 +02:00
parent f44a42a769 235360bc55
commit 27f6b63763
8 changed files with 137 additions and 3 deletions
--- a/public/docs-static/img/integrations/identity-providers/self-hosted/okta-generate-token.png
+++ b/public/docs-static/img/integrations/identity-providers/self-hosted/okta-generate-token.png
--- a/public/docs-static/img/integrations/identity-providers/self-hosted/okta-native-application.png
+++ b/public/docs-static/img/integrations/identity-providers/self-hosted/okta-native-application.png
--- a/public/docs-static/img/integrations/identity-providers/self-hosted/okta-native-sign-on-configuration.png
+++ b/public/docs-static/img/integrations/identity-providers/self-hosted/okta-native-sign-on-configuration.png
--- a/public/docs-static/img/integrations/identity-providers/self-hosted/okta-new-native-application.png
+++ b/public/docs-static/img/integrations/identity-providers/self-hosted/okta-new-native-application.png
--- a/public/docs-static/img/integrations/identity-providers/self-hosted/okta-new-single-page-application.png
+++ b/public/docs-static/img/integrations/identity-providers/self-hosted/okta-new-single-page-application.png
--- a/public/docs-static/img/integrations/identity-providers/self-hosted/okta-single-page-application.png
+++ b/public/docs-static/img/integrations/identity-providers/self-hosted/okta-single-page-application.png
--- a/public/docs-static/img/integrations/identity-providers/self-hosted/okta-single-sign-on-configuration.png
+++ b/public/docs-static/img/integrations/identity-providers/self-hosted/okta-single-sign-on-configuration.png
--- a/src/pages/selfhosted/identity-providers.mdx
+++ b/src/pages/selfhosted/identity-providers.mdx
@@ -814,12 +814,146 @@ The file management.json is created automatically. Please refer [here](/docs/sel
 ```json
 {
  "ManagerType":  "authentik",
-  "AuthentikClientCredentials": {
+  "ClientConfig": {
      "Issuer": "https://<YOUR-AUTHENTIK-HOST-AND-PORT>",
      "ClientID": "<PROVIDER Client ID>",
      "TokenEndpoint": "https://<YOUR-AUTHENTIK-HOST-AND-PORT>/application/o/token",
      "GrantType": "client_credentials"
  },
  "ExtraConfig": {
      "Username": "Netbird",
      "Password": "<SERVICE ACCOUNT PASSWORD>",
      "GrantType": "client_credentials",
      "TokenEndpoint": "https://<YOUR-AUTHENTIK-HOST-AND-PORT>/application/o/token"
  }
 }
  ```
 ## Okta
 This guide is a part of the [NetBird Self-hosting Guide](/getting-started/self-hosting) and explains how to integrate 
 **self-hosted** NetBird with [Okta](https://www.okta.com/).
 <Note>
 If you prefer to have full control over authentication and authorization of your NetBird network, there are good self-hosted alternatives to the managed Okta service like [Keycloak](/integrations/identity-providers/self-hosted/using-netbird-with-keycloak).
 </Note>
 Before you start creating and configuring an Okta application, ensure that you have an Okta workforce identity cloud account. If you don't have one, sign up for a free account at https://www.okta.com/free-trial/.
 ### Step 1. Create and configure Okta single-page application
 In this step, we will create and configure Netbird single-page application in okta.
 - Navigate to Okta Admin Dashboard
 - Click `Applications` in the left menu and then click on `Applications`
 - Click `Create App Intergration`
 - Fill in the form with the following values and click `Next`
  - Sign-in method: `OIDC - OpenID Connect`
  - Application type: `Single-Page Application`
 ![](/docs-static/img/integrations/identity-providers/self-hosted/okta-new-single-page-application.png)
 - Fill in the form with the following values and click `Save`
    - App integration name: `Netbird`
    - Grant type: `Authorization Code` and `Refresh Token`
    - Sign-in redirect URIs: `https://<yournetbirddomain.com>/auth` and `https://<yournetbirddomain.com>/silent-auth`
    - Sign-out redirect URIs: `https://<yournetbirddomain.com>/`
 - Click `Save`
 ![](/docs-static/img/integrations/identity-providers/self-hosted/okta-single-page-application.png)
 - Navigate to Okta Admin Dashboard
 - Click `Applications` in the left menu and then click on `Applications`
 - Select `Netbird` application on the list and take a note of the `Client ID`, we will use it later
 - Click on `Sign On` tab on top menu
 - Under `OpenID Connect ID Token` section, click `Edit` and update `Issuer`  to use the `Okta URL`
 - Click `Save`
 ![](/docs-static/img/integrations/identity-providers/self-hosted/okta-single-sign-on-configuration.png)
 ### Step 2. Create and configure Okta native application
 In this step, we will create and configure Netbird native application in okta.
 - Navigate to Okta Admin Dashboard
 - Click `Applications` in the left menu and then click on `Applications`
 - Click `Create App Intergration`
 - Fill in the form with the following values and click `Next`
  - Sign-in method: `OIDC - OpenID Connect`
  - Application type: `Native Application`
 ![](/docs-static/img/integrations/identity-providers/self-hosted/okta-new-native-application.png)
 - Fill in the form with the following values and click `Save`
    - App integration name: `Netbird Native App`
    - Grant type: `Device Authorization`
 - Click `Save`
 ![](/docs-static/img/integrations/identity-providers/self-hosted/okta-native-application.png)
 - Navigate to Okta Admin Dashboard
 - Click `Applications` in the left menu and then click on `Applications`
 - Select `Netbird Native App` application on the list and take a note of the `Client ID`, we will use it later
 - Click on `Sign On` tab on top menu
 - Under `OpenID Connect ID Token` section, click `Edit` and update `Issuer`  to use the `Okta URL`
 - Click `Save`
 ![](/docs-static/img/integrations/identity-providers/self-hosted/okta-native-sign-on-configuration.png)
 ### Step 3. Generate api token
 In this step, we will generate netbird api token in okta for authorizing calls to user api.
 - Navigate to Okta Admin Dashboard
 - Click `Security` in the left menu and then click on `API`
 - Click on `Tokens` tab on top menu
 - Click `Create token`
 - Fill in the form with the following values and click `Create token`
    - Name: `Netbird`
 - Take note of token value and click `OK, got it`
 ![](/docs-static/img/integrations/identity-providers/self-hosted/okta-generate-token.png)
 Your authority OIDC configuration will be available under:
 ```
 https://< your_okta_organization_url >/.well-known/openid-configuration
 ```
 <Note>
    Double-check if the endpoint returns a JSON response by calling it from your browser.
 </Note>
 - Set properties in the `setup.env` file:
 ```json
 NETBIRD_DOMAIN="<your_domain>"
 NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://<your_okta_organization_url>/.well-known/openid-configuration"
 NETBIRD_USE_AUTH0=false
 NETBIRD_AUTH_AUDIENCE="<netbird_client_id>"
 NETBIRD_AUTH_CLIENT_ID="<netbird_client_id>"
 NETBIRD_AUTH_REDIRECT_URI="/auth"
 NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
 NETBIRD_TOKEN_SOURCE="idToken"
 NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="hosted"
 NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<netbird_native_client_id>"
 NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="<netbird_native_client_id>"
 NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid email"
 NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=true
 ```
 - You can now continue with the [NetBird Self-hosting Guide](/docs/selfhosted/selfhosted-guide#step-3-configure-identity-provider/docs/selfhosted/selfhosted-guide#step-3-configure-identity-provider).
 - Set property `IdpManagerConfig` in the `management.json` file with:
 <Note>
    The file management.json is created automatically. Please refer [here](/getting-started/self-hosting#step-5-run-configuration-script) for more information.
 </Note>
 ```json
 {
  "ManagerType": "okta",
  "ClientConfig": {
      "Issuer": "<ISSUER_URL>",
      "TokenEndpoint": "<ISSUER_URL>/oauth2/v1/token",
      "GrantType": "client_credentials"
  },
  "ExtraConfig": {
      "APIToken": "<api_token>",
  }
 }
 ```
 - Modify the value of the `AUTH_SUPPORTED_SCOPES` environment variable for the dashboard service in the docker-compose.yml file to `openid profile email`.