Skip to content
|
Kong Konnect
github-edit-pageEdit this page
report-issueReport an issue

Set Up SSO with Okta

You can set up single sign-on (SSO) access to Dev Portals through Okta using OpenID Connect or SAML. These authentication methods allow developers to log in to a Dev Portal using their Okta credentials without needing a separate login.

You cannot mix authenticators in a Kong Konnect Dev Portal. With Okta authentication enabled, all developers will log in to the Dev Portal through Okta.

This topic covers configuring Okta. For generic instructions on configuring SAML or OIDC for use with other identity providers, see the generic SSO guide.

Prerequisites

  • Ensure that any users that need to use the Dev Portal SSO are added to Okta

  • To set up Okta single sign-on (SSO) for Konnect, you need access to an Okta admin account and a Konnect admin account, which you will access concurrently.
  • Optionally, if you want to use team mappings, you must configure Okta to include group attributes.

Configure an application and group claims in Okta

  1. Create a new OIDC application in Okta to manage Kong Konnect account integration. Configure the following settings:
    • Application Type: Web Application

    • Grant type: Authorization Code

    • Sign-in redirect URIs: https://{portalId}.{region}.portal.konghq.com/login (This is a placeholder value that you’ll replace later)

    • Sign-out redirect URIs: https://{portalId}.{region}.portal.konghq.com/login (This is a placeholder value that you’ll replace later)

    • Controlled access: Select a group assignment option

    Leave this page open. You’ll need the connection details here to configure your Kong Konnect account.

  2. Optional: If you want to use group claims for Konnect developer team mappings, click the Sign On tab in Okta for your application to configure a groups claim and configure the following fields:

    Field Value
    Group claims type Filter
    Group claims filter groups, select Matches regex from the drop-down, then enter .* in the field.

    This claim tells Okta to reference a subset of Okta groups. In this case, the wildcard (.*) value tells Okta to make all groups available for team mapping.

    If the authorization server is pulling in additional groups from third-party applications (for example, Google groups), the groups claim cannot find them. An Okta administrator needs to duplicate those groups and re-create them directly in Okta. They can do this by exporting the group in question in CSV format, then importing the CSV file to populate the new group.

  3. Add users to the Okta application.

  1. Create a new SAML 2.0 application in Okta to manage Kong Konnect account integration. Configure the following placeholder settings:

    • Single Sign-On URL: https://{portalId}.{region}.portal.konghq.com/v2/authenticate/login_path/saml/acs

    • Audience URI (SP Entity ID): https://cloud.konghq.com/sp/SP_ID

  2. Optional: To include additional user attributes beyond authentication, add the following three attributes in the Attribute Statements:

    Name Name format Value
    firstName Unspecified user.firstName
    lastName Unspecified user.lastName
    email Unspecified user.email

  3. Optional: If you want to use group claims for Konnect developer team mappings, configure a groups attribute claim and fill in the following fields:

    Name Name format Filter Filter Value
    groups Unspecified Matches regex .*

  4. Add users to the Okta application.

  5. Generate a signing certificate to use in Konnect.

Set up Konnect

Provide Okta connection details

  1. In a separate browser tab, open Konnect Dev Portal, click the Dev Portal you want to configure SSO for, click Settings in the sidebar and then click the Identity tab.

  2. Click Configure for OIDC.

  3. In Okta, update the placeholder Single Sign-On URL and Audience URI (SP Entity ID) values that you set in the previous section with the Dev Portal callback URL.

  4. In Okta, locate your issuer URI in your authorization server settings. It should look like the following: https://{yourOktaOrg}.okta.com/oauth2/default

  5. Paste the issuer URI from Okta in the Provider URL field in Konnect.

  6. In Okta, copy your client ID and client secret from your Konnect application.

  7. Paste the Client ID and Client Secret from your Okta application into Kong Konnect.

    See the Okta developer documentation to learn more about client credentials in Okta.

  8. Optional: Map existing developer teams from Okta groups to Konnect Dev Portal teams.

  9. After clicking Save, close the configuration dialog and from the OIDC context menu, click Enable OIDC.

  1. In a separate browser tab, open Konnect Dev Portal, click the Dev Portal you want to configure SSO for, click Settings in the sidebar and then click the Identity tab.

  2. Click Configure for SAML.

  3. In Okta, go to Sign On page in the Okta application created in the previous step and copy the IDP Metadata URL under the Settings section. It should look like: https://<your-okta-domain>.okta.com/app/exkgzjkl0kUZB06Ky5d7/sso/saml/metadata

  4. Click Save.
  5. Copy the Single Sign-On URL and Audience URI that display after you configured SAML SSO.

  6. In Okta, update the placeholder Single Sign-On URL and Audience URI (SP Entity ID) values that you set in the previous section with the Single sign-on URL and Audience URI that display in the SAML config in Dev Portal.

  7. Optional: Map existing developer teams from Okta groups to Konnect Dev Portal teams.

  8. In Konnect, close the configuration dialog and click Enable SAML from the context menu.

Test and apply the configuration

Important: Keep built-in authentication enabled while you are testing IdP authentication. Only disable built-in authentication after successfully testing IdP authentication.

  1. Test the SSO configuration by navigating to the callback URL for your Dev Portal. For example: https://{portalId}.{region}.portal.konghq.com/login.

    You will see the Okta sign in window if your configuration is set up correctly.

  2. Using an account that belongs to one of the groups you just mapped, log in with your Okta credentials.

    If a group-to-team mapping exists, the user is automatically provisioned with a Kong Konnect Dev Portal developer account with the relevant team membership.

  3. In Konnect Dev Portal, click the Dev Portal you configured SSO for and click Developers in the sidebar.

    You should see a list of users in this org, including a new entry for the user you used to log in.

You can now manage your organization’s user permissions entirely from the IdP application.

(Optional) Enable Kong Konnect Dev Portal as a dashboard app in Okta

If you want your users to have easy access to Kong Konnect Dev Portal alongside their other apps, you can add it to your Okta dashboard.

In Okta, navigate to the General Settings of your application and configure the following settings:

Okta setting Value
Grant type Implicit (hybrid)
Login Initiated by Either Okta or App
Application Visibility Display application icon to users
Initiate login URI Enter your organization’s login URI. You can find the URI in Kong Konnect by going to your Dev Portal, clicking Settings, clicking the Identity tab, and then clicking Configure provider next to your authentication method.