Adding an Okta Workforce Identity Provider
Aside from generic protocol identity provider integrations, Border0 supports authenticating organization users against an Okta Workforce identity provider.
To integrate with an Okta Workforce identity provider, you will first need to create an Okta Application for Border0 and gather certain parameters.
Creating an Okta Application for Border0
- [1] Sign in with Okta as an administrator and navigate to the admin console. The admin console will typically be found at
https://${your-okta-subdomain}-admin.okta.com. In other words, if your Okta domain isacme-corp.okta.com, then the admin console will be found athttps://acme-corp-admin.okta.com.
The Okta admin console
- [2] Select "Applications" > "Applications" from the navigation menu on the left side pane
- [3] Click on the "Create App Integration" button
The "Applications" page on the Okta admin console
- [4] Select "OIDC - OpenID Connect" for the "Sign-In method" setting, and "Web Application" for the "Application type" setting
- [5] Click "Next"
The "Create a new app integration" popup on the Okta admin console
- [6] Give the application a name ("Border0" is the name in the example below) and optionally a logo
- [7] Add Border0's redirect URL to the list of "Sign-in redirect URIs"
- [8] Modify other settings as needed e.g. grant access to the application to specific Okta Directory Groups or everyone in your Okta Organization.
Step [7] is crucial! Make sure you've added Border0's redirect URL (
https://auth.border0.com/login/callback) to the redirect URIs allowlist of your new Okta application.
The "New Web App Integration" page on the Okta admin console
- [9] Take note of your Okta Domain, client ID, and client secret. You will need these parameters to configure your new Okta Workforce identity provider in Border0.
The overview page for a newly created Okta Application "Border0", displaying where to find the Okta Domain, client ID, and client secret parameters required to add Okta Workforce as an identity provider for Border0
Identity Provider Configuration Parameters
(1) Name (required)
The identity provider's "name" is a unique identifier for the identity provider within your Border0 organization. In other words, no two custom identity providers for the same Border0 organization can have the same name.
Name must start with an alphanumeric character [a-zA-Z0-9] and can only consist of alphanumeric characters and dashes ('-') - it must not include spaces.
Name is the only parameter which can not be changed after creation-time.
(2) Display Name
The identity provider's "display name" is the name that will appear on the button corresponding to the identity provider in the login page. As opposed to name, display name need-not be unique within an organization, and can be changed at will.
(3) Logo URL
The identity provider's "logo URL" is the URL of the icon that will appear on the button corresponding to the identity provider in the login page.
(4) Okta Domain (required)
The identity provider's "okta domain" is the domain of your Okta Organization. This domain is typically of the form your-organization-name.okta.com
(5) Client ID (required)
The identity provider's "client ID" is the Okta Application's client ID - a string that Border0 will present to Okta when authenticating users. Okta uses this client ID to identify Border0 among all of its clients.
(6) Client Secret (required)
The identity provider's "client secret" is the Okta Application's client secret - a string that Border0 will present to Okta when authenticating users along with the client ID. The upstream identity provider uses this client secret to authenticate Border0 as a client.
Portal Instructions
Once you've gathered the necessary parameters, you can proceed to populate the "New Okta Workforce Identity Provider" form. Clicking "Submit" will add the identity provider.
For instructions on how to find this page in the portal, see the generic instructions on Adding a Custom Identity Provider.
The "New Okta Workforce Identity Provider" form on the Border0 Portal
CLI Instructions
Once you've gathered the necessary parameters, you add your Okta Workforce identity provider with the command border0 organization idp add okta-workforce.
Example
$ border0 organization idp add okta-workforce \
--name AcmeCorp-Okta \
--display-name "ACME Corp. Login" \
--logo-url https://your.logo.url.com/image.png \
--okta-domain your-organization.okta.com \
--client-id 0oa464jlbnXZQeBmU697 \
--client-secret 1iWK0zwp3uPsOBfSgGsW7Zc1-N-zIwegKERvmY5D
[WARNING] You may need to to configure your Okta Workforce account to allow the redirect URL: https://auth.border0.com/login/callback
New Okta Workforce identity provider "AcmeCorp-Okta" successfully added to your organization!
Updated 16 days ago