Configure your Okta tenant as an Identity Provider

After Access Gateway has been installed, and typical post installation tasks have been performed, your Okta tenant must be configured as an IDP. This page lists the tasks to configure your Okta tenant as an Okta Access Gateway Identity Provider.

Tasks

Configuring Okta as the identity provider for Access Gateway involves three individual tasks.

  1. Create an Okta Service Account for Access Gateway
    1. In your browser, go to your Okta org and sign in as an administrator.

      Okta recommends creating a specific service account in Okta to create the Access Gateway API key. This is important because Okta logs every action performed by an API key under the user that created the key. In the interest of maintaining accurate logs, Okta recommends a dedicated Access Gateway service account.

    2. In the Admin Console, go to Directory > People.
    3. Click Add Person.
    4. For the Service Account, enter a first name and family name.
    5. For the Username and Primary email values, enter a dummy email. For example service.admin@domain.com.

      Use dummy values for the Username and Primary email to avoid interference between the service account and your own account. If you need to request a password reset, adding your own email address for the Secondary email ensures you can activate and maintain the service account.

    6. For the Secondary email, enter your valid administrator email.
    7. Select the checkbox for Send user activation email and click Save. You should now see your newly created service account under the Activated people tab with a Password reset status.
    8. In the Admin Console, go to Security > Administrators.
    9. Click Add Administrator.
    10. For the Grant administrator role to value, enter the name of the service account created earlier.
    11. Select the Super Administrator checkbox, and click Add Administrator. You should now have two super administrator accounts.
    12. Sign out of your Okta administrator account.
    13. In the email account for your service account, open the activation email you received from Okta and click the activation link.
    14. Set a password and a security question, and select a security image for the account.
    15. Upon completion, sign in with the new service account credentials.
  2. Create an Okta API Token
    1. Navigate to your Okta org.

    2. In the Admin Console, go to Security > API.
    3. On the API page, click Create Token.
    4. Enter a Token Name in the dialog box, and click Create Token.

      Use a name that easily identifies the token’s purpose. In this case, the token is being used in the Access Gateway appliance, so including or Access Gateway, OAG, or other relevant information is recommended.

    5. Copy the displayed Token Value in a safe place.
    6. Once you close the pop-up window, you can never display the token value again.
      Ensure you copy the token to a safe, secure location (such as a password manager or secure note database) for future reference.

    7. Click Ok, got it.
  3. Configure an IDP in Access Gateway
    1. In your browser, navigate to the Access Gateway Admin UI console and sign in as an administrator.
    2. Select the Settings tab.
    3. Click the Identity Providers pane.
    4. Click + and select OKTA.
    5. In the Add New Okta IDP dialog enter:

      • Name field - enter an appropriate name for the IDP such as Okta IDP.

      • Okta Org - Enter your okta org which is typically one of {your org name}.oktapreview.com, {your org name}.okta.com, or something similar.

        Note this field is blank in the following screen shot, but must be completed.

      • Okta API Token - Paste the value you copied from your Okta org when you created the Okta API token.

      Access Gateway Add New Okta IDP dialog shown with Name, Okta Org and Okta API token highlighted.

    6. Click Not Validated. After the Okta API Token is validated successfully, the Not Validated button changes to Validated
    7. Click Okay. The Settings tab displays your Okta IDP status.
    8. Verify that it displays the status as Valid.

      Access Gateway setting page shown with with new Okta IDP added with valid status.

    9. Navigate to the Topology tab to test the IDP’s connection.
    10. Click the Okta IDP icon to be redirected to your Okta tenant which should look like the following:

      Access Gateway topography page shown with new IDP highlighted.