Integrate with an Okta tenant
Before applications can be secured, an Okta tenant must be configured to provide identity services.
Access Gateway and your Okta org integrate using SAML and REST APIs.
The following diagram represents how your Okta tenant connects to Access Gateway using SAML.
To configure Access Gateway to integrate with an Okta org, you must:
- Create an Okta Service Account for Access Gateway
- Create an Okta API Token
- Configure Okta as IDP in Access Gateway
Okta recommends that you create and use a dedicated service account to create the Access Gateway API key. This helps maintain accurate logs since Okta logs every action performed by an API key under the user that created the key.
- In the Admin Console, go to Directory > People.
- Click Add Person.
- For the Service Account, enter a first name and family name.
- For the Username and Primary email values, enter a placeholder email. For example, email@example.com.
Use placeholder values for the Username and Primary email to avoid interference between the service account and your account. Enter your email address as the Secondary email. Then, if you need to request a password reset, you're able to activate and maintain the service account.
- For the Secondary email, enter your valid administrator email.
- Select the checkbox for Send user activation email and click Save. You should now see your newly created service account under the Activated people tab with a Password reset status.
- In the Admin Console, go to Security > Administrators.
- Click Add Administrator.
- For the Grant administrator role to value, enter the name of the service account created earlier.
- Select the Super Administrator checkbox, and click Add Administrator. You should now have two super administrator accounts.
- Sign out of your Okta administrator account.
- In the email account for your service account, open the activation email you received from Okta and click the activation link.
- Set a password and a security question, and select a security image for the account.
- Upon completion, sign in with the new service account credentials.
- In the Admin Console, go to Security > API.
- Click Create token.
- Enter a token name that identifies the token's purpose. For example, you might include Access Gateway or OAG in the name.
- Click Create token.
- Copy the Token Value and store it in a secure location, such as a password manager, for future reference. After you close this window, you can no longer view the token value.
- Click Ok, got it.
- In your browser, go to the Access Gateway Admin UI console and sign in as an administrator.
- Select the Settings tab.
- Click the Identity Providers pane.
- Click + and select OKTA.
Enter the following:
Name: Enter a meaningful name for the IdP (for example, Okta IdP).
Okta Org: Enter your org (for example, orgname.oktapreview.com, orgname.okta.com, or similar).
Okta API Token: Paste the token value that you copied from your Okta org when you created the Okta API token.
- Click Not Validated. This label changes to Validated when the Okta API Token is successfully validated,
- Click Okay. The Settings tab displays your Okta IdP status, which should be Valid.
- Click the Topology tab. Your IdP is represented by an icon labeled with the name that you entered.
Click your IdP's icon. If it's configured correctly, you're redirected to your Okta tenant.