» Okta Auth Method

The okta auth method allows authentication using Okta and user/password credentials. This allows Vault to be integrated into environments using Okta.

The mapping of groups in Okta to Vault policies is managed by using the users/ and groups/ paths.

» Authentication

» Via the CLI

The default path is /okta. If this auth method was enabled at a different path, specify -path=/my-path in the CLI.

$ vault login -method=okta username=my-username

» Via the API

The default endpoint is auth/okta/login. If this auth method was enabled at a different path, use that value instead of okta.

$ curl \
    --request POST \
    --data '{"password": "MY_PASSWORD"}' \
    http://127.0.0.1:8200/v1/auth/okta/login/my-username

The response will contain a token at auth.client_token:

{
  "auth": {
    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
    "policies": [
      "admins"
    ],
    "metadata": {
      "username": "mitchellh"
    }
  }
}

» Configuration

Auth methods must be configured in advance before users or machines can authenticate. These steps are usually completed by an operator or configuration management tool.

» Via the CLI

  1. Enable the Okta auth method:

    $ vault auth enable okta
    
  2. Configure Vault to communicate with your Okta account:

    $ vault write auth/okta/config \
        base_url="okta.com" \
        organization="dev-123456" \
        token="00KzlTNCqDf0enpQKYSAYUt88KHqXax6dT11xEZz_g"
    

    If no token is supplied, Vault will function, but only locally configured group membership will be available. Without a token, groups will not be queried.

    For the complete list of configuration options, please see the API documentation.

  3. Map an Okta group to a Vault policy:

    $ vault write auth/okta/groups/scientists policies=nuclear-reactor
    

    In this example, anyone who successfully authenticates via Okta who is a member of the "scientists" group will receive a Vault token with the "nuclear-reactor" policy attached.


    It is also possible to add users directly:

    $ vault write auth/okta/groups/engineers policies=autopilot
    $ vault write auth/okta/users/tesla groups=engineers
    

    This adds the Okta user "tesla" to the "engineers" group, which maps to the "autopilot" Vault policy.

    The user-policy mapping via group membership happens at token creation time. Any changes in group membership in Okta will not affect existing tokens that have already been provisioned. To see these changes, users will need to re-authenticate. You can force this by revoking the existing tokens.

» API

The Okta auth method has a full HTTP API. Please see the Okta Auth API for more details.