このページは、まだ日本語ではご利用いただけません。翻訳中です。
Set Up SSO with Okta
You can set up single sign-on (SSO) access to Dev Portals through Okta using OpenID Connect or SAML. These authentication methods allow developers to log in to a Dev Portal using their Okta credentials without needing a separate login.
You cannot mix authenticators in a Kong Konnect Dev Portal. With Okta authentication enabled, all developers will log in to the Dev Portal through Okta.
This topic covers configuring Okta. For generic instructions on configuring SAML or OIDC for use with other identity providers, see the generic SSO guide.
Prerequisites
- Create a new OIDC application in Okta to manage Kong Konnect account integration. Configure the following settings:
Leave this page open. You’ll need the connection details here to configure your Kong Konnect account.
-
Optional: If you want to use group claims for Konnect developer team mappings, click the Sign On tab in Okta for your application to configure a groups
claim and configure the following fields:
Field |
Value |
Group claims type |
Filter |
Group claims filter |
groups , select Matches regex from the drop-down, then enter .* in the field. |
This claim tells Okta to reference a subset of Okta groups.
In this case, the wildcard (.*
) value tells Okta to make all groups available for team mapping.
If the authorization server is pulling in additional groups from
third-party applications (for example, Google groups), the groups
claim
cannot find them. An Okta administrator needs to duplicate those groups and
re-create them directly in Okta. They can do this by exporting the group in
question in CSV format, then importing the CSV file to populate the new group.
-
Add users to the Okta application.
-
Create a new SAML 2.0 application in Okta to manage Kong Konnect account integration. Configure the following placeholder settings:
-
Optional: To include additional user attributes beyond authentication, add the following three attributes in the Attribute Statements:
Name |
Name format |
Value |
firstName |
Unspecified |
user.firstName |
lastName |
Unspecified |
user.lastName |
email |
Unspecified |
user.email |
-
Optional: If you want to use group claims for Konnect developer team mappings, configure a groups attribute claim and fill in the following fields:
Name |
Name format |
Filter |
Filter Value |
groups |
Unspecified |
Matches regex |
.* |
-
Add users to the Okta application.
-
Generate a signing certificate to use in Konnect.
Set up Konnect
Provide Okta connection details
-
In a separate browser tab, open Konnect Dev Portal, click the Dev Portal you want to configure SSO for, click Settings in the sidebar and then click the Identity tab.
-
Click Configure for OIDC.
-
In Okta, update the placeholder Single Sign-On URL and Audience URI (SP Entity ID) values that you set in the previous section with the Dev Portal callback URL.
-
In Okta, locate your issuer URI in your authorization server settings. It should look like the following: https://{yourOktaOrg}.okta.com/oauth2/default
-
Paste the issuer URI from Okta in the Provider URL field in Konnect.
-
In Okta, copy your client ID and client secret from your Konnect application.
-
Paste the Client ID and Client Secret from your Okta
application into Kong Konnect.
See the Okta developer documentation
to learn more about client credentials in Okta.
-
Optional: Map existing developer teams from Okta groups to Konnect Dev Portal teams.
-
After clicking Save, close the configuration dialog and from the OIDC context menu, click Enable OIDC.
-
In a separate browser tab, open Konnect Dev Portal, click the Dev Portal you want to configure SSO for, click Settings in the sidebar and then click the Identity tab.
-
Click Configure for SAML.
-
In Okta, go to Sign On page in the Okta application created in the previous step and copy the IDP Metadata URL under the Settings section. It should look like: https://<your-okta-domain>.okta.com/app/exkgzjkl0kUZB06Ky5d7/sso/saml/metadata
- Click Save.
- Copy the Single Sign-On URL and Audience URI that display after you configured SAML SSO.
-
In Okta, update the placeholder Single Sign-On URL and Audience URI (SP Entity ID) values that you set in the previous section with the Single sign-on URL and Audience URI that display in the SAML config in Dev Portal.
-
Optional: Map existing developer teams from Okta groups to Konnect Dev Portal teams.
- In Konnect, close the configuration dialog and click Enable SAML from the context menu.
Test and apply the configuration
Important: Keep built-in authentication enabled while you are testing IdP authentication. Only disable built-in authentication after successfully testing IdP authentication.
-
Test the SSO configuration by navigating to the callback URL for your Dev Portal. For example: https://{portalId}.{region}.portal.konghq.com/login
.
You will see the Okta sign in window if your configuration is set up correctly.
-
Using an account that belongs to one of the groups you just mapped, log
in with your Okta credentials.
If a group-to-team mapping exists, the user is automatically provisioned with a Kong Konnect Dev Portal developer account with the relevant team membership.
-
In Konnect Dev Portal, click the Dev Portal you configured SSO for and click Developers in the sidebar.
You should see a list of users in this org, including a new entry for the user you used to log in.
You can now manage your organization’s user permissions entirely from the IdP application.
(Optional) Enable Kong Konnect Dev Portal as a dashboard app in Okta
If you want your users to have easy access to Kong Konnect Dev Portal alongside their other apps, you can add it to your Okta dashboard.
In Okta, navigate to the General Settings of your application and configure the following settings:
Okta setting |
Value |
Grant type |
Implicit (hybrid) |
Login Initiated by |
Either Okta or App |
Application Visibility |
Display application icon to users |
Initiate login URI |
Enter your organization’s login URI. You can find the URI in Kong Konnect by going to your Dev Portal, clicking Settings, clicking the Identity tab, and then clicking Configure provider next to your authentication method. |