Configuring Single Sign-On for Sample Application
Login to Okta admin dashboard. You can use a free developer account or configure your existing account.
New authorization server is required because Animal Rescue will need it’s own set of scopes and claims.
Okta provides two types of management API, “Classic UI” and “Developer Console”. This guide is using “Developer Console” however all configuration are available in Classic UI as well.
- Go to API -> Authorization Servers and click “Add Authorization Server”.
- Use “Animal Rescue” name and set audience
- Now go to new created settings page, copy the value in “Issuer” field. This should be used as
issuer-uriduring Gateway setup.
- Switch to “Scopes” tab and add a new scope:
animals.adopt(with any display name and description), set “User Consent” and “Metadata Publish” to
- Switch to “Claims” tab and add a new claim:
groups, set “Include in token type” to always include to ID Token, value type to “Groups” with filter matching regex “.*” (so all groups are included). Optionally, configure “Include in” to
groupsscope (you need to create the scope first) if you’d like to include groups information only when certain scope is requested and approved.
- Add a new claim
user_nameand set it to be always included into ID token, configure value to be
user.email. Claim value can be configured using Okta Expression Language.
- Switch to “Access Policies” tab and create “Default” access policy, assigned to all clients. Add a new rule to allow
authorization_codegrant, for any user, any scope.
Navigate to “Users -> People” from the main menu
- Click “Add Person” and configure all required fields.
Navigate to “Users -> Groups” from the main menu
- Click “Add Group” and create “Adopter” group.
- Click “Manage People” in “Adopter” group and add accounts you created above.
Create new application
Navigate to “Applications” in the main menu.
- Click “Add application”, select “Web” in the platform list, configure application name.
- In “Login redirect URIs” add
- Enable “Authorization Code” grant type for the app.
- In “Assignments” section, assign your test users to the app.
- Copy “Client ID” and “Client Secret”.
After you completed the steps above, you should have the following values: - Issuer URI. That should be value from the authorization server you created, not your account Okta domain. - Client ID - Client secret - One or two test users ideally with different groups for testing
Make sure you have them before proceeding to the next step.
Clone the repo first.
scope=openid,profile,email,groups,animals.adopt client-id=<client id> client-secret=<client id> issuer-uri=<issuer uri>
If you decided to use
groups scope to get groups information, make sure it is listed in
Issuer URI must exactly match value from the server configuration, including trailing slashes! You can always check expected value by navigating to
sso: secret: animal-rescue-sso roles-attribute-name: "groups"
The default value is “roles” you alternatively you can configure Okta to return “roles” claim instead of “groups”.
/api/animals/*/adoption-requests/**route if you’d like to use scopes to authorize access to Adoption Request API, or
Roles=Adopterif you’d like to use roles. You can keep both filters as well.
kustomize build ./k8s | kubectl apply -f - or refer to Animal Rescue README for most up to date deployment instructions.
Navigate to your gateway URL.
If you are using dynamic IP address you may need to go back to Okta and configure this IP address in the list of allowed Redirect URIs.
Try logging in with different test users, within or without “Adopter” groups and add, edit or delete adoption request. You should see successfull response or “Request failed with status code 403” error message depending on your groups list and approved scopes.