Okta

Setting Up Okta Single Sign-On (SSO)

In this page we will see the process of setting up Okta SSO with Codefresh. For the general instructions of SSO setup see the overview page.

Setting Okta as an Identity provider

  1. Log in to your Okta account. If you don’t already have one, you will need to create one.

On the general Okta dashboard, click Admin. This takes you to the Okta Admin Dashboard.

Okta Dashboard

Okta Dashboard

Using the list of shortcuts at the right-hand side of the screen, click Add Applications.

Okta Applications

Okta Applications

On the Add Application page, select Create New App.

Create new application

Create new application

On the Create a New Application Integration pop-up window, select Web as the Platform for Codefresh application, and choose OpenID Connect as the Sign on method. Click Create to proceed.

Choose Sign-on method

Choose Sign-on method
  1. You will now create your OIDC integration. On the General Settings page, provide the following:
  • App name (e.g. Codefresh)
  • App logo (optional). Feel free to download and add this picture
  • Login redirect URI: https://g.codefresh.io/api/auth/<your_codefresh_client_name>/callback you’ll be able to extract your Codefresh client name a bit later in the process so we’ll need to come back to this and update it again - for now please use a temp value such as https://g.codefresh.io/api/auth/temp/callback

OpenID integration

OpenID integration

Click Save to proceed.

  1. Go back to the SSO settings screen described in the first part of this guide inside the Codefresh GUI.

You need to enter the following:

  • Display Name - shown as application name in OKTA.
  • client id - your OKTA application client ID (see below).
  • client secret* - your OKTA application client secret (see below).
  • Client Host - your OKTA organization url (e.g https://<company>.okta.com). Keep in mind you don’t copy it from the admin view (e.g. https://<company>-admin.okta.com) because it’ll not work.
  • Access Token (optional) - OKTA API token that will be used to sync groups and users from OKTA to Codefresh. The token can be generated in OKTA by going to the security tab->API (see below).
  • App ID - your Codefresh application ID in your OKTA organization that will be used to sync groups and users from OKTA to Codefresh. This ID can be taken by navigating to your Codefresh APP in OKTA and copy it from the URL (see below).

Client ID and secret

Client ID and secret

Access token

Access token

App ID

App ID
  1. Once you save the Identity provider, Codefresh will assign a client-name to it which identifies the SSO configuration. Note it down.

Client name

Client name
  1. Go Back to your OKTA Application General Settings and update the following 2 configurations with the client name generated by Codefresh:
  • Login redirect URIs - https://g.codefresh.io/api/auth/<your_codefresh_client_name>/callback
  • Initiate login URI - https://g.codefresh.io/api/auth/<your_codefresh_client_name>

This concludes the SSO setup for Okta.

How Okta syncing works

It is important to notice that syncing with Okta only affects teams/groups and not individuals/persons.

You can assign an Okta application in both groups and individual people. Codefresh will only sync people that are inside teams. Newly created people in Okta that are not assigned in a team will NOT be synced to Codefresh. You should assign them to a team first and then they will be synced as part of team.

Syncing of teams after initial SSO setup

There are two ways that you can setup automatic syncing of teams.

First you can create a Codefresh pipeline the runs the CLI command codefresh synchronize teams my-okta-client-name -t okta as explained in the pipeline sync page.

Alternatively, you can setup completely automated syncing by enabling the auto-sync toggle found in the top right of the integration:

Automatic team syncing

Automatic team syncing

If you enable this, every 12 hours Codefresh will sync teams on its own without the need of a pipeline.

See the overview page on how to test the integration, activate SSO for collaborators and create sync jobs.