Configure Okta for OIDC

You can configure Okta as an OpenID Connect (OIDC) authentication mechanism in Sysdig.

Prerequisites

Sysdig

Okta

The topics below call out specific steps that require additional action.

Configure Okta

This topic describes the minimal configuration options in Okta. You may need to adjust them based on the specifics of your environment.

General Settings

Specify the application name, and optionally, add a logo.

If you don’t intend to configure the IdP-initiated login flow, select Do not display application icon to users and Do not display application icon in the Okta Mobile app.

Login

Make sure to disable option Allow wildcard * in login URI redirect.

Identify the correct Sign-in redirect URI associated with your Sysdig application and region. Enter the value in the field for Sign-in redirect URI. Click Save.

See Redirect URI section for more information.

This is the callback URL to which Okta sends the authentication response and ID token when an user attempts to log in to Sysdig using SSO.

Parameters Required for Sysdig Configuration

Copy the following for the OpenID configuration parameters in the Sysdig authentication settings.

  • Client ID: Copy the value from the Client Credentials section on the General tab.
  • Client Secrets: Copy the Client Secrets from the General tab.
  • Issuer URL: Copy the value from the OpenID Connect ID Token section on the Sign On tab.

Configure Sysdig Settings

To enable Okta OpenID functionality on the Sysdig application, specify the following:

ConfigurationDescription
Client IDSpecify the value you have copied from the Client Credentials section on the General tab.
Client SecretSpecify the value you have copied from the Client Secrets section on the General tab.
Issuer URLSpecify the value you have copied from the OpenID Connect ID Token section on the Sign On tab.
Base IssuerThe value is your Okta domain name. For example, https://myOktaOrg.okta.com
Authorization EndpointTo view the metadata tied to your Okta application, including the Authorization Endpoint, use the following endpoint.
https://{myOktaOrg}/.well-known/openid-configuration?client_id={ClientId}
Replace {myOktaOrg} with your Okta domain name and {ClientId} with the Client ID associated with your Okta web application.
{
issuer: "https://myOktaOrg.okta.com",
authorization_endpoint: "https://myOktaOrg.okta.com/oauth2/v1/authorize",
token_endpoint: "https://myOktaOrg.okta.com/oauth2/v1/token",
userinfo_endpoint: "https://myOktaOrg.okta.com/oauth2/v1/userinfo",
registration_endpoint: "https://myOktaOrg.okta.com/oauth2/v1/clients/<redacted>",
jwks_uri: "https://myOktaOrg.okta.com/oauth2/v1/keys?client_id=<redacted>",
<redacted>
```|