このページは、まだ日本語ではご利用いただけません。翻訳中です。
Set Up SSO with Okta
As an alternative to Kong Konnect’s native authentication, you can set up single sign-on (SSO) access to Konnect through Okta using OpenID Connect or SAML. These authentication methods allow your users to log in to Kong Konnect using their Okta credentials without needing a separate login.
You cannot mix authenticators in Kong Konnect. With Okta authentication enabled, all non-admin Konnect users will log in through Okta. Only the Konnect org owner can continue to log in with Konnect’s native authentication.
This topic covers configuring Okta. For generic instructions on configuring SAML or OIDC for use with other identity providers, see the generic SSO guide.
Prerequisites
-
Ensure that any users that need to use Konnect SSO are added to Okta
- To set up Okta single sign-on (SSO) for Konnect, you need access to an Okta admin account and a Konnect admin account, which you will access concurrently.
- Optionally, if you want to use team mappings, you must configure Okta to include group attributes.
Configure an application and group claims in Okta
Set up Konnect
Provide Okta connection details
(Optional) Map Konnect teams to Okta groups
By mapping Okta groups to Konnect teams, you can manage a user’s Konnect team membership directly through Okta group membership.
After mapping is set up:
- Okta users belonging to the mapped groups can log in to Konnect.
- When a user logs into Konnect with their Okta account for the first time, Konnect automatically provisions an account with the relevant roles.
- If your org already has non-admin Konnect users before mapping, on their next login they will be mapped to the teams defined by their Okta group membership.
- An organization admin can view all registered users in Konnect, but cannot edit their team membership from the Konnect side. To manage automatically-created users, adjust user permissions through Okta, or adjust the team mapping.
Any changes to the mapped Okta groups on the Okta side are reflected in Kong Konnect. For example:
- Removing a user from a group in Okta also deactivates their Konnect account.
- Moving a user from one group to another changes their team in Konnect to align with the new group-to-team mapping.
-
Configure a custom authorization server.
Important: Using the Okta API to set up group claims with a custom authorization server is an additional paid Okta feature. Alternatively, you can use the org authorization server and create a group, enable group push, and add a group claim to the org authorization server instead.
-
Navigate to the Token Preview tab of your authorization server and configure the following:
- OAuth/OIDC client: Enter the client name you previously created for your Okta application
- Grant Type: Authorization Code
- User: Select an Okta user that is assigned to the Konnect application to test the claim with
-
Scope:
openid
,email
,profile
In the generated Preview Token preview, ensure that the
groups
value is present. From the list of groups in the preview, identify groups that you want to use in Konnect. Take note of these groups. -
Refer to the token preview in Okta to locate the Okta groups you want to map.
You can also locate a list of all existing groups by going to Directory > Groups in Okta. However, not all of these groups may be accessible by the
groups
claim. See the claims setup step for details. -
In Kong Konnect, go to Organization > Settings, click the Team Mappings tab and do at least one of the following:
- To manage user and team memberships in Konnect from the Organization settings, select the Konnect Mapping Enabled checkbox.
- To assign team memberships by the IdP during SSO login via group claims mapped to Konnect teams, select the IdP Mapping Enabled checkbox and enter your Okta groups in the relevant fields.
Each Konnect team can be mapped to one Okta group.
For example, if you have a
service_admin
group in Okta, you might map it to theService Admin
team in Konnect. You can hover over the info (i
) icon beside each field to learn more about the team, or see the teams reference for more information.You must have at least one group mapped to save configuration changes.
- Click Save.
Test and apply the configuration
Important: Keep built-in authentication enabled while you are testing IdP authentication. Only disable built-in authentication after successfully testing IdP authentication.
Test the SSO configuration by navigating to the login URI based on the organization login path you set earlier. For example: https://cloud.konghq.com/login/examplepath
, where examplepath
is the unique login path string set in the previous steps.
You can now manage your organization’s user permissions entirely from the IdP application.
(Optional) Enable Kong Konnect as a dashboard app in Okta
If you want your users to have easy access to Kong Konnect alongside their other apps, you can add it to your Okta dashboard.
In Okta, navigate to the General Settings of your application and configure the following settings:
Okta setting | Value |
---|---|
Grant type | Implicit (hybrid) |
Login Initiated by | Either Okta or App |
Application Visibility | Display application icon to users |
Initiate login URI | Enter your organization’s login URI. You can find the URI in Kong Konnect by going to Settings > Identity Management. |