Configure your Okta tenant as an Identity Provider

Configuring Okta as the Identity Provider (IdP) for Access Gateway involves three individual tasks.

  1. Create an Okta service account for Access Gateway

    Okta recommends that you create and use a dedicated service account to create the Access Gateway API key. This helps maintain accurate logs since Okta logs every action performed by an API key under the user that created the key.

    1. In the Admin Console, go to Directory > People.
    2. Click Add Person.
    3. For the Service Account, enter a first name and family name.
    4. For the Username and Primary email values, enter a placeholder email. For example, service.admin@domain.com.

      Use placeholder values for the Username and Primary email to avoid interference between the service account and your account. Enter your email address as the Secondary email. Then, if you need to request a password reset, you're able to activate and maintain the service account.

    5. For the Secondary email, enter your valid administrator email.
    6. Select the checkbox for Send user activation email and click Save. You should now see your newly created service account under the Activated people tab with a Password reset status.
    7. In the Admin Console, go to Security > Administrators.
    8. Click Add Administrator.
    9. For the Grant administrator role to value, enter the name of the service account created earlier.
    10. Select the Super Administrator checkbox, and click Add Administrator. You should now have two super administrator accounts.
    11. Sign out of your Okta administrator account.
    12. In the email account for your service account, open the activation email you received from Okta and click the activation link.
    13. Set a password and a security question, and select a security image for the account.
    14. Upon completion, sign in with the new service account credentials.
  2. Create an Okta API token
    1. In the Admin Console, go to Security > API.
    2. Click Create token.
    3. Enter a token name that identifies the token's purpose. For example, you might include Access Gateway or OAG in the name.
    4. Click Create token.
    5. Copy the Token Value and store it in a secure location, such as a password manager, for future reference. After you close this window, you can no longer view the token value.
    6. Click Ok, got it.
  3. Configure an IdP in Access Gateway
    1. In your browser, go to the Access Gateway Admin UI console and sign in as an administrator.
    2. Select the Settings tab.
    3. Click the Identity Providers pane.
    4. Click + and select OKTA.
    5. Enter the following:

      • Name: Enter a meaningful name for the IdP (for example, Okta IdP).

      • Okta Org: Enter your org (for example, orgname.oktapreview.com, orgname.okta.com, or similar).

      • Okta API Token: Paste the token value that you copied from your Okta org when you created the Okta API token.

    6. Click Not Validated. This label changes to Validated when the Okta API Token is successfully validated,
    7. Click Okay. The Settings tab displays your Okta IdP status, which should be Valid.
    8. Click the Topology tab. Your IdP is represented by an icon labeled with the name that you entered.
    9. Click your IdP's icon. If it's configured correctly, you're redirected to your Okta tenant.