diff --git a/site/content/docs/howto/configure-supervisor-with-okta.md b/site/content/docs/howto/configure-supervisor-with-okta.md index 7fb7fc13..46cc6ae7 100644 --- a/site/content/docs/howto/configure-supervisor-with-okta.md +++ b/site/content/docs/howto/configure-supervisor-with-okta.md @@ -19,27 +19,27 @@ cluster using their Okta credentials. This how-to guide assumes that you have already [installed the Pinniped Supervisor]({{< ref "install-supervisor" >}}) with working ingress, and that you have [configured a `FederationDomain` to issue tokens for your downstream clusters]({{< ref "configure-supervisor" >}}). -## Configure your Okta Application +## Create an Okta Application -Follow the instructions for [setting up an application using authcode flow](https://developer.okta.com/docs/guides/implement-auth-code/setup-app/) and create an application. +Follow the instructions for [setting up an app using authcode flow](https://developer.okta.com/docs/guides/implement-auth-code/setup-app/) and create an app. Optionally follow the instructions for [customizing tokens returned from Okta with a groups claim](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/overview/) if you want to pass users' Okta group information through to your Kubernetes clusters. -For example, to create an application: +For example, to create an app: -1. In the Okta admin console, navigate to _Applications_ > _Applications_. -1. Create a new application: - 1. Click `Create a new app integration`. - 1. For `Sign-on method`, select OIDC. - 1. For `Application type`, select `Web Application`, then click next. - 1. Enter a name for your application, such as "My Kubernetes Clusters". +1. In the Okta Admin Console, navigate to _Applications_ > _Applications_. +1. Create a new app: + 1. Click `Create App Integration`. + 1. For `Sign-on method`, select `OIDC`. + 1. For `Application type`, app `Web Application`, then click next. + 1. Enter a name for your app, such as "My Kubernetes Clusters". 1. Enter the sign-in redirect URI. This is the `spec.issuer` you configured in your `FederationDomain` appended with `/callback`. 1. Optionally select `Limit access to selected groups` to restrict which Okta users can log in to Kubernetes using this integration. - 1. Save the application and make note of the _Client ID_ and _Client Secret_. - 1. Navigate to the _Sign On tab_ > _OpenID Connect ID Token_ and click edit. Fill in the Groups claim filter. + 1. Save the app and make note of the _Client ID_ and _Client secret_. + 1. Navigate to the _Sign On_ tab > _OpenID Connect ID Token_ and click `Edit`. Fill in the Groups claim filter. For example, for all groups to be present under the claim name `groups`, fill in "groups" in the first box, then select "Matches regex" and ".*". -## Configure the Supervisor cluster +## Configure the Supervisor Create an [OIDCIdentityProvider](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#oidcidentityprovider) in the same namespace as the Supervisor. @@ -53,7 +53,7 @@ metadata: name: okta spec: - # Specify the upstream issuer URL. + # Specify the upstream issuer URL (no trailing slash). issuer: https://my-company.okta.com # Request any scopes other than "openid" for claims besides @@ -63,7 +63,8 @@ spec: # To learn more about how to customize the claims returned, see here: # https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/overview/ authorizationConfig: - additionalScopes: [ groups email ] + additionalScopes: [groups, email] + # Specify how Okta claims are mapped to Kubernetes identities. claims: @@ -92,7 +93,7 @@ stringData: # The "Client ID" that you got from Okta. clientID: "" - # The "Client Secret" that you got from Okta. + # The "Client secret" that you got from Okta. clientSecret: "" ``` @@ -104,6 +105,6 @@ kubectl describe OIDCIdentityProvider -n pinniped-supervisor okta Look at the `status` field. If it was configured correctly, you should see `phase: Ready`. -## Next Steps +## Next steps Now that you have configured the Supervisor to use Okta, you may want to [configure the Concierge to validate JWTs issued by the Supervisor]({{< ref "configure-concierge-jwt" >}}).