Okta

更新时间:
复制 MD 格式

This topic describes how to configure Okta as an identity provider for Agent Identity.

Prerequisites

  • You have an administrator account with access to the Okta Admin Portal.

  • We recommend that you grant the AliyunAgentIdentityFullAccess permission to the operator performing the configuration in Alibaba Cloud.

Step 1: Create an OAuth application in Okta

  1. Sign in to the Okta Admin Portal.

  2. In the left-side navigation pane, choose Applications > Applications.

  3. On the Applications page, click Create App Integration.

  4. In the Create a new app integration dialog box, set the sign-in method to OIDC - OpenID Connect and the application type to Web Application, and then click Next.

  5. On the New Web App Integration page, configure the following parameters:

    1. App integration name: Enter a name for the application.

    2. Grant type: Keep the default selection, Authorization Code.

    3. Sign-in redirect URIs: The URL where users are redirected after a successful sign-in. For example: https://your-app-fqdn/authcallback.

    4. Under Assignments, use Controlled access to define which users can access this application. For testing, you can select Allow everyone in your organization to access.

  6. Keep the other settings as default and click Save.

  7. On the Applications page, click the new application. On its details page, copy and save the Client ID.

Step 2: Test ID Token retrieval (Optional)

Manually construct an OAuth request to get an ID Token. This helps test the authentication flow and debug your application or agent.

Important

The following steps are for testing or debugging purposes only. In a production environment, we recommend using an OAuth-compatible SDK to request an ID Token.

  1. In the Okta Admin Portal, open the OAuth application from Step 1. In the CLIENT SECRETS section, click the copy icon next to Secret, and then save the Client Secret.

  2. Click Edit next to General Settings. In the LOGIN section, add the URI http://localhost:8080 to Sign-in redirect URIs, and then click Save.

  3. Copy the following HTTP request and replace the placeholders <your-okta-domain-name> and <your-client-id> with your Okta domain and the Client ID from Step 1.

    https://<your-okta-domain-name>/oauth2/v1/authorize?
    client_id=<your-client-id>
    &redirect_uri=http://localhost:8080
    &response_type=code
    &scope=openid
    &state=12345
  4. Visit the request URL in your browser and follow the prompts to log in to Okta. After a successful login, the browser redirects to http://localhost:8080 and returns the authorization code code in the URL. Copy and save the value of code.

    http://localhost:8080/?code=PnBlGlro40HCjBaiCCt4WBCT2FnyIBHf86NIonD****&state=12345
  5. Copy and run the following command. Replace code, client_id, and client_secret with the code, Client ID, and Client Secret from the previous steps.

    curl -X POST "<your-okta-domain-name>/v1/token" \
         -H "Content-Type: application/x-www-form-urlencoded" \
         -d "code=<your-authorization-code>" \
         -d "client_id=<your-client-id>" \
         -d "redirect_uri=http://localhost:8080" \
         -d "grant_type=authorization_code" \
         -d "client_secret=<your-client-secret>"
  6. If the command is successful, Okta returns an id_token and an access_token. The following is a sample response:

    {
      "token_type": "Bearer",
      "expires_in": 3600,
      "access_token": "eyJraWQiOiJmeTBnMnB0VVVh...PGX08Q",
      "scope": "openid",
      "id_token": "eyJraWQiOiJmeTBnMnB0VVVhMG1U...VBdhDA"
    }
  7. Copy the value of the id_token to a JWT decoding website (such as https://www.jwt.io/). The decoded aud claim must match the Client ID from Step 1. The following is a sample of the decoded output:

    {
      "sub": "00uyhvyq87xgV4qQ****",
      "ver": 1,
      "iss": "https://****.okta.com",
      "aud": "0oaylbem3eBMiwIz****",
      "iat": 1766475191,
      "exp": 1766478791,
      "jti": "ID.6ywwkKDDGqivVjbwdE16dVygBGa0UEslOwovs0Y****",
      "amr": [
        "mfa",
        "otp",
        "pwd",
        "okta_verify"
      ],
      "idp": "00oy7sk1coYRWkrs****",
      "auth_time": 1766470553,
      "at_hash": "Jf8NvN9QvLV2tRhcl6****"
    }

Step 3: Create an identity provider

  1. Sign in to the AgentIdentity console. In the left-side navigation pane, choose Inbound >  > Identity Providers.

  2. On the Identity Providers list page, click Create Identity Provider.

  3. On the Create Identity Provider page, configure the following parameters:

    • Identity Provider Name: Enter a custom name for the identity provider.

    • Description (Optional)

    • OIDC Metadata URL: Enter the OIDC metadata URL of Okta in the format https://<your-okta-domain-name>/.well-known/openid-configuration.

    • Allowed Target Audiences: Leave Specify Audience Whitelist selected and enter the Client ID of the OIDC application from Step 1. To support multiple audiences, enter each client ID on a new line.

  4. Click Create Identity Provider.

Step 4: Associate identity provider with workload identity

You must associate the identity provider with a workload identity to complete inbound authorization. If you have not created a workload identity, see Create a workload identity.

  1. Sign in to the AgentIdentity console. In the left-side navigation pane, choose Workload Identities.

  2. On the Workload Identities list page, click the target workload identity.

  3. On the workload identity details page, in the Authentication Flow section, click Associate Identity Provider under Identity Providers.

  4. In the Associate Identity Provider dialog box, select the identity provider created in Step 3 from the drop-down list.

  5. Click OK.