Configure SSO with Okta
Available with Kong Gateway Enterprise subscription - Contact Sales
Kong Konnect provides built-in authentication, allowing you to setup users and teams for Konnect authentication and authorization. Alternatively, you can set up single sign-on (SSO) access to Konnect using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML). These authentication methods allow your users to log in to Konnect using IdP authorization, without needing additional Konnect specific credentials. You can also configure a mapping between Okta group claims and Kong Konnect teams, allowing for Konnect user team assignments from within Okta.
This topic provides specific instructions for configuring SSO with Okta. See Configure Generic SSO for general instructions on setting up SSO for other identity providers.
It is recommended to use a single authentication method, however, Konnect supports the ability to combine built-in authentication with either OIDC or SAML based SSO. Combining both OIDC and SAML based SSO is not supported. Keep built-in authentication enabled while you are testing IdP authentication and only disable it after successfully testing your SSO configuration.
Prerequisites
- An Okta account with administrator access to configure Applications and Authorization Server settings.
- A non-public Kong Konnect Dev Portal created in your Konnect organization.
Configure an Okta Application
Set up Konnect
Configure Okta connection details
Okta users and mapping groups to Konnect teams
While it is not required, it is recommended to use Konnect’s Okta group to team mapping feature. If you choose not to use this feature then approving new users will require a two step process. First, the user will need to login to Konnect with their Okta credentials. They will receive an access error but the new user will be visible to the Konnect administrator. The administrator can now map the user to a valid Konnect team, which will give the user the required access. The new user must now re-login to gain access.
Preferably the IdP group to team mapping feature is used to streamline this process. Use the following to enable this feature:
-
In Konnect, go to Organization > Settings, click the Team Mappings and enable the IdP Mapping feature.
Each Konnect team can be mapped to one Okta group.
For example, if you have a
service_admin
group in Okta, you might map it to theService Admin
team in Konnect. You can hover over the info (i
) icon beside each field to learn more about the team, or see the teams reference for more information.You must have at least one group mapped to save configuration changes.
-
Click Save.
After mapping is set up:
- Okta users belonging to the mapped groups can log in to Konnect.
- When a user logs into Konnect with their Okta account for the first time, Konnect automatically provisions an account with the relevant roles.
- If your org already has non-admin Konnect users before mapping, on their next login they will be mapped to the teams defined by their Okta group membership.
- An organization admin can view all registered users in Konnect, but cannot edit their team membership from the Konnect side. To manage automatically-created users, adjust user permissions through Okta, or adjust the team mapping.
Any changes to the mapped Okta groups on the Okta side are reflected in Konnect. For example:
- Removing a user from a group in Okta also deactivates their Konnect account.
- Moving a user from one group to another changes their team in Konnect to align with the new group-to-team mapping.
Debug and test the configuration
The Okta console provides a Token Preview feature which will be useful in verifying configuration values for these SSO configuration instructions. If you encounter issues configuring SSO with Okta, start by checking the Token Preview for the Okta application you created.
Test the SSO configuration by navigating to the login URI based on the organization login path you set earlier.
For example, if you successfully configured a login path of examplepath
, navigate to https://cloud.konghq.com/login/examplepath
.
Attempt to login with an Okta user assigned to your new application. If authorization is successful and the
team configuration is correct, the user should be able to access the Konnect organization.
(Optional) Enable Kong Konnect as a dashboard app in Okta
If you want your users to have easy access to Kong Konnect alongside their other apps, you can add it to your Okta dashboard.
In Okta, navigate to the General Settings of your application and configure the application icon for users as needed.