Okta Single Sign-On (SSO)
In this page we will see the process of setting up Okta SSO with Codefresh. For the general instructions of SSO setup see the overview page.
Set up Okta as an Identity provider
- Log in to your Okta account, or create an Okta account if you don’t have one.
- On the general Okta dashboard, to open the Okta Admin Dashboard select Admin.
- From the list of shortcuts on the right, select Add Applications.
- Select Create New App.
- In the Create a New Application Integration pop-up, do the following:
- From the Platform drop-down, select Web as the platform for Codefresh.
- For the Sign on method, select OpenID Connect.
- Select Create.
- Configure OIDC integration in General Settings:
- App name (e.g. Codefresh).
- App logo (optional). Feel free to download and add this picture.
- Login redirect URI:
https://g.codefresh.io/api/auth/<your_codefresh_client_name>/callback
whereis generated by Codefresh when you configure SSO settings. For now, use a temp value such as `https://g.codefresh.io/api/auth/temp/callback`.
- Select Save.
Okta settings needed for SSO in Codefresh
To configure SSO settings for Okta in Codefresh, you meed the Client ID, Client Secret, Access token, and the Codefresh application ID as defined in Okta. Copy the values from the following screens:
Configure SSO for Okta in Codefresh
- In the Codefresh UI, go to Single Sign-On.
- Select + Add Single Sign-On and then select Okta.
- Enter the following:
- Client Name: For-auto generation, leave empty. Codefresh generates the client name once you save the settings.
- Display Name: The Application name in OKTA.
- Client ID: The OKTA application client ID you copied from Okta (see above).
- Client Secret: The OKTA application client secret you copied from OKta (see above).
- Client Host: The OKTA organization URL, for example,
https://<company>.okta.com.
Do not copy the URL from the admin view (e.g.https://<company>-admin.okta.com), as it will not work. - Access Token: Optional. The OKTA API token used to sync groups and their users from OKTA to Codefresh. The token can be generated in OKTA by going to the security tab->API (see above).
- Application ID: The Codefresh application ID in your OKTA organization, that will be used to sync groups and user from OKTA to Codefresh. This ID can be taken by navigating to your Codefresh APP in OKTA and copy it from the URL (see above).
- Optional. To automatically sync teams or groups in Okta to Codefresh, set Auto group sync to ON. This action syncs groups every 12 hours.
- Select +Add. Codefresh automatically generates the Client Name to which to identify the SSO configuration. Note it down.
Configure URIs in Okta
- In the Okta application, go to General Settings, and update the following with the client name generated by Codefresh:
- Login redirect URIs -
https://g.codefresh.io/api/auth/<your_codefresh_client_name>/callback - Initiate login URI -
https://g.codefresh.io/api/auth/<your_codefresh_client_name>
- Login redirect URIs -
You have now completed SSO setup for Okta.
How Okta syncing works
Syncing with Okta only affects teams/groups, and not individual users.
Codefresh only syncs users who are part of teams, though you can assign an Okta application to both groups and individual users. New users in Okta, not assigned to a team, are NOT synced with Codefresh. You should first assign the user to a team for the sync to work.
Sync teams after initial SSO setup
There are two ways to set up automatic syncing of teams:
- Pipeline running a CLI command: Create a Codefresh pipeline the runs the CLI command
codefresh synchronize teams my-okta-client-name -t oktaas explained in the pipeline sync page. - Turn on the auto-sync toggle as part of the SSO configuration settings.:
What to read next
See the overview page on how to test the integration, activate SSO for collaborators and create sync jobs.