Integrate HashiCorp Vault with Okta

Configure Okta as identity provider for HashiCorp (HCP) Vault. You can complete the integration using HCP Vault Dedicated or HCP Vault. You can also use HCP Community Edition in developer mode.

This page helps you configure the HCP Vault cluster and integrate the app in Okta.

Before you begin

  • You have permission to manage users, groups, and apps in Okta.
  • You have an HCP Vault account.
  • You've reviewed the OIDC authentication with Okta guide.
  • You've installed the Vault CLI on your local system. See Install Vault.
  • If you're using HCP Vault Dedicated, you've completed these steps:
    • You've reviewed the HCP Vault Dedicated developer guide.
    • You've created an HCP Vault virtual network.
    • You have a Vault cluster with a public address and the development tier or higher. See Create a Vault cluster.

Configure the HCP Vault cluster

Complete these steps in either HCP Vault Dedicated or HCP Vault.

HCP Vault Dedicated

  1. Sign in to HCP Vault.
  2. Select Vault Dedicated from the left navigation pane.
  3. Select Clusters, and then select vault-cluster from the Vault clusters list. The vault-cluster page opens.
  4. Scroll to the Cluster URLs section and copy the public URL.
  5. Open a terminal and run this command. Replace the [Public_Cluster_URL] with the value that you copied in the previous step: #!/bin/bash export VAULT_ADDR=[Public_Cluster_URL]
  6. On the vault-cluster page, click Generate token to create an admin token.
  7. Click Copy.
  8. In the terminal, run this command. Replace the [token] with the value that you copied in the previous step:#!/bin/bash export VAULT_TOKEN=[token]
  9. Run this command to set the VAULT_NAMESPACE variable to admin:#!/bin/bash export VAULT_NAMESPACE=admin
  10. Enter vault status to verify that you're connected to the HCP Vault cluster:#!/bin/bash vault status The terminal displays the a list off keys and their values.
  11. Run this command to view the available authentication methods for the HCP Vault cluster.#!/bin/bash vault auth list

HCP Vault

You can use the Vault root token for these steps. However, Okta recommends that you only use these tokens during your initiatial setup or in an emergency.

  1. Open a terminal and run this command to create a server with the root token:#!/bin/bash vault server -dev -dev-root-token-id root The server is initialized and unsealed. By default, it runs at 127.0.0.1:8200.

    Don't run a Vault development server in a Production environment. Otherwise, the Vault server uses an in-memory database that provides less security.

  2. Run this command so the Vault CLI variable can access the HCP Vault server:#!/bin/bash export VAULT_ADDR=http://127.0.0.1:8200
  3. Run this command so the Vault CLI variable can authenticate with the HCP Vault server:#!/bin/bash export VAULT_TOKEN=root

Configure the app in Okta

  1. In the Admin Console, go to ApplicationsApplications.

  2. Click Browse App Catalog.
  3. Search for and select HashiCorp Vault, and then click Add Integration.
  4. In a terminal, run this command to retrieve the Vault cluster address that's stored in the VAULT_ADDR variable:#!/bin/bash echo $VAULT_ADDR
  5. Copy the address and paste it in the Address field.
  6. Go to the Sign On tab (sometimes labeled Authentication), and scroll to the Advanced Sign-on Settings section.
    • Path Variable: Leave this field blank to use the default oidc mount path. If you enter a custom value, run this command to verify it. Enter the path exactly as it appears, excluding slashes: #!/bin/bash vault auth list
    • Listening Port: Leave this field blank to use the default 8250 port. Only use a custom port if you've configured HCP Vault to listen on a different port.
  7. Go to the General tab and copy the Client ID.
  8. In a terminal, run this command. Replace the [CLIENT_ID] with the value that you copied in the previous step:#!/bin/bash export OKTA_CLIENT_ID=[CLIENT_ID]
  9. On the General tab, copy the Client secret.
  10. In a terminal, run this command. Replace the [CLIENT_SECRET] with the value that you copied in the previous step.#!/bin/bash export OKTA_CLIENT_SECRET=[CLIENT_SECRET]

  11. In the Admin Console, click your username at the top right, and copy your org URL.

  12. In a terminal, run this command. Replace the [OKTA DOMAIN] with the value that you copied in the previous step.#!/bin/bash export OKTA_DOMAIN=[OKTA_DOMAIN]

Next step

Configure the OIDC authentication method