You can set up single sign-on (SSO) access to Dev Portals through Okta using OpenID Connect or SAML.
These authentication methods allow developers to log in to a Dev Portal using their Okta credentials
without needing a separate Kong Konnect Dev Portal login.
This page provides specific instructions for configuring SSO with Okta.
See Configure Generic SSO for general instructions on setting up SSO for other identity providers.
It is recommended to use a single authentication method, however, Konnect supports the ability to
combine built-in authentication with either OIDC or SAML based SSO. Combining both OIDC and SAML based SSO is not supported.
Keep built-in authentication enabled while you are testing IdP authentication and only disable it after successfully testing
your SSO configuration.
Prerequisites
- An Okta account with administrator access to configure Applications and Authorization Server settings.
- A non-public Kong Konnect Dev Portal created in your Konnect organization.
- From the Applications section of the Okta console, select Create App Integration
and choose OIDC - OpenID Connect
with Web Application for the Application type. Provide the following configuration details:
-
Grant type: Authorization Code
Using the portal URL from the Dev Portal Overview page, provide the following configuration details substituting <portal-url>
with your portal’s URL:
-
Sign-in redirect URIs:
https://<portal-url>/login
-
Sign-out redirect URIs:
https://<portal-url>/login
-
Optional: If you want to map Okta group claims to Konnect
Dev Portal Teams,
modify the OpenID Connect ID Token claims
in the Application->Sign On section of the Okta configuration, setting the following values:
-
Group claims type:
Filter
-
Group claims filter: Enter
groups
for the claim name and enter Matches regex as the filter type and .*
for the filter value.
This claim specifies which user’s groups to include in the token, in this case the wildcard regex specifies that all groups will be included.
If the authorization server is retrieving additional groups from
third-party applications (for example, Google groups), the groups
claim
will not contain them. If it is desired to use these third-party groups, the Okta
administrator will need to duplicate them directly in Okta or use a custom token
to include them in the groups
claim.
-
Assign desired groups and users to the new Okta application.
-
Locate the following values in the Okta console, which will be used later for the
Konnect configuration.
-
Client ID: Located in your Application General -> Client Credentials settings.
-
Client Secret: Located in your Application General -> Client Secrets settings.
-
Issuer URI : The Issuer is typically found in the Security -> API -> Authorization Servers settings.
It should look like the following:
https://<okta-org-id>.okta.com/oauth2/default
- From the Applications section of the Okta console, select Create App Integration
and choose SAML 2.0.
Provide the following configuration details:
- Give the application a name that signifies it is for Konnect SAML SSO.
Using the portal URL from the Dev Portal Overview page, provide the following configuration details:
-
Optional: To include additional user attributes beyond authentication, add the following three attributes in the Attribute Statements:
Name |
Name format |
Value |
firstName |
Unspecified |
user.firstName |
lastName |
Unspecified |
user.lastName |
email |
Unspecified |
user.email |
-
Optional: If you want to use group claims for Konnect developer team mappings, configure a groups attribute claim and fill in the following fields:
Name |
Name format |
Filter |
Filter Value |
groups |
Unspecified |
Matches regex |
.* |
-
Generate a signing certificate to use in Konnect.
-
Assign desired groups and users to the new Okta application.
Set up Konnect
-
Open your Konnect Dev Portal overview,
and select the Dev Portal you want to configure for SSO. Choose Settings in the sidebar
and then the Identity tab.
-
Select the Configure option for OIDC.
-
Insert your Issuer URI, Client ID and Client Secret in the OIDC configuration fields.
-
Under Advanced Settings, specify the Scopes Konnect requests from Okta.
The openid
scope is required for OIDC authentication. The profile
and email
scopes are recommended so Konnect
obtains the user’s name and email address in the token response.
-
In the Claim Mappings section, set the values of each field to their appropriate token response field name. Use the Okta Token Preview
feature to verify the response token field names will match what you enter in these mappings. The default values are as follows:
- Name:
name
- Email:
email
- Groups:
groups
-
Optional: Map existing developer teams from Okta groups to Konnect Dev Portal teams.
-
Save the configuration and then select Enable OIDC.
-
In a separate browser tab, open Konnect Dev Portal, click the Dev Portal you want to configure SSO for, click Settings in the sidebar and then click the Identity tab.
-
Click Configure for SAML.
-
In Okta, go to Sign On page in the Okta application created in the previous step and copy the
IDP Metadata URL under the Settings section. It should look like: https://<okta-org-id>.okta.com/app/exkgzjkl0kUZB06Ky5d7/sso/saml/metadata
-
Save this configuration, Konnect will generate two new values. A Single Sign-On URL
and an Audience URI.
-
In the Okta console, update the previous placeholder Single Sign-On URL and Audience URI (SP Entity ID)
with the new values generated by Konnect.
-
Optional: Map existing developer teams from Okta groups to Konnect Dev Portal teams.
-
In Konnect, close the configuration dialog and click Enable SAML from the context menu.
Debug and test the configuration
The Okta console provides a Token Preview feature which will be useful in
verifying configuration values for these SSO configuration instructions. If you encounter issues configuring SSO with Okta, start by
checking the Token Preview for the Okta application you created.
-
Test the SSO configuration by navigating to the portal URL for your Dev Portal. For example: https://{portalId}.{region}.portal.konghq.com/login
.
You will see the Okta sign in window if your configuration is set up correctly.
-
Using an account that belongs to one of the groups you just mapped, log
in with your Okta credentials.
If a group-to-team mapping exists, the user is automatically provisioned with a Kong Konnect Dev Portal developer account with the relevant team membership.
-
In Konnect Dev Portal, click the Dev Portal you configured SSO for and click Developers in the sidebar.
You should see a list of users in this org, including a new entry for the user you used to log in.
(Optional) Enable Kong Konnect Dev Portal as a dashboard app in Okta
If you want your users to have easy access to Kong Konnect
Dev Portal alongside their other apps,
you can add it to your Okta dashboard.
In Okta, navigate to the General Settings of your application and configure the application icon for users as needed.