Okta is a popular identity provider used by businesses of all sizes. Integrating Pomerium with Okta allows you to use the identity Okta provides to apply context-driven policies from Pomerium to your infrastructure.
Create OpenID Connect Application
Log in to your Okta account From the left-hand menu, Select Applications → Applications on the top menu.
Click the Create App Integration button. Select OIDC as the sign-in method. and Web Application as the application type:
Click Next to continue.
Provide the following information for your application settings:
Field Description Name The name of your application. Grant type allowed You must enable Refresh Token. Base URIs Optional: The domain(s) of your application. Sign-in redirect URIs Redirect URL (e.g.
Controlled Access The user groups that can sign in to this application. See Group ID for more information.
Click Save to proceed. You'll be taken to the General tab of your app.
Create Service account
Next, we'll create API token so that Pomerium can retrieve and establish group membership.
From the main menu, navigate to Security → API. Select the Tokens tab, and click the Create Token button. Name the token, then save the value to apply to our Pomerium configuration:
The API token will be provided as the value of the
idp_service_accountkey, formatted as a base64-encoded JSON document::
You can save the object as a temporary file to encode:
cat tmp.json | base64 -w 0
Finally, configure Pomerium with the identity provider settings retrieved in the previous steps. Your environmental variables should look something like this.
- Environment Variables
idp_client_id: "REPLACE ME"
idp_client_secret: "REPLACE ME"
idp_service_account: "REPLACE ME" # base64 encoded JSON object
IDP_SERVICE_ACCOUNT="REPLACE_ME" # base64 encoded JSON object