Integrate with an Okta Tenant
Before applications can be secured, an Okta tenant must be configured to provide identity services.
Access Gateway and your Okta org integrates using SAML and REST APIs.
The diagram below represents how your Okta tenant connects to Access Gateway using SAML.
To configure Access Gateway to integrate with an Okta org you must:
- Create an Okta Service Account for Access Gateway
- Create an Okta API Token
- Configure Okta as IDP in Access Gateway
In your browser, Navigate to your Okta Org and sign in as an Administrator.
Okta recommends creating a specific Service Account in Okta that will be used to create the Access Gateway API key. This is important because every action performed by an API key is logged under the user that created the key. In the interest of maintaining accurate logs, a dedicated Access Gateway Service Account is recommended.
- Navigate to the Directory > People section.
- Click Add Person.
- Enter a descriptive First name and Last name for the Service Account naming fields (i.e Service Admin). Enter a dummy email
(For example, firstname.lastname@example.org) for the Username and Primary email.
Use a dummy value for the Username and Primary email fields so that there is not interference between the Service Account and your own account in the event of a password reset request, etc. Adding your own email address to the Secondary email field ensures you can activate and maintain the Service Account.
- Enter your valid Administrator Email in the Secondary email field. Click the Send user activation email checkbox, and click Save.
- You should now see your newly created Service Account under the Activated people tab with a Password reset status.
- Navigate to the Security > Administrators section.
- Click Add Administrator.
- Enter the name of the Service Account created earlier in the Grant administrator role to field. . Click the Super Administrator checkbox, and click Add Administrator.
- You should now have two Super Administrator accounts.
- Sign out of your Okta Admin Account.
- In your email, open the Service Account Activation Email you received from Okta and click the Activation link.
- After clicking the link, you will be asked to create a password, answer a security question, and select an account security image.
- Upon completion, log in with the new Service Account credentials.
In the Service Account Dashboard, select Security > API from the menu options.
On the API page, click Create Token.
Enter a Token Name in the pop-up window, and click Create Token.
Best Practice: Use a name that easily identifies the token’s purpose. In this case, the token is being used in an Access Gateway appliance, so including "Access Gateway" or "OAG" and other relevant information is recommended
- Copy the displayed Token Value in a safe place before clicking Ok, got it
Warning: Once you close the pop-up window, you can never display the token value again! Please ensure you copy the token to a safe, secure location (such as a password manager or secure note database) for future reference.
- In your browser, navigate to the Access Gateway Admin UI console and login as an administrator.
- Select the Settings tab.
- Click the Identity Providers pane.
- Click the + button, and Select OKTA.
- Enter an app name in the Name field, fill out the Okta Org URL and Okta API Token fields with the value generated earlier, and click Not Validated.
- Once the Okta API Token is validated, the Not Validated button will turn green and change to [Validated]
- Click Okay.
- The Settings tab will now display your Okta IDP status; verify it displays a Valid status.
- Navigate to the Topology tab to test the IDP’s connection.
- Click the Okta IDP icon to be redirected to your Okta tenant.