OIDC authentication with Okta
OpenID Connect (OIDC) is an internet-scale federated identity and authentication protocol built on top of the OAuth 2.0 authorization framework and the JSON Object Signing and Encryption (JOSE) cryptographic system. OIDC builds on top of the OAuth 2.0 authorization protocol to enable a user to authorize a third-party application to access the user’s identity and authentication information.
The OIDC authentication method allows Boundary users to delegate authentication to an OIDC provider. This feature allows Boundary to integrate with popular identity providers like Okta, cloud-hosted active directory services with an OIDC frontend, and cloud identity management systems such as AWS IAM.
Boundary users can create, read, update, and delete new OIDC authentication methods using the Admin Console UI, Boundary CLI, or the Boundary Terraform provider to enable login. OIDC auth methods can also be utilized for logging into the Admin Console and Desktop applications.
This tutorial provides an example of setting up OIDC with the Okta provider and managing OIDC authentication methods.
OIDC authentication methods overview
- Authentication workflow
- Okta configuration
- Auth method creation
- Authentication states
- OIDC authentication
Prerequisites
A Boundary binary greater than 0.8.0 in your
PATH
This tutorial assumes you can connect to an HCP Boundary cluster or launch Boundary in dev mode.
An Okta test account. The associated email address should not be tied to another SSO method, so use of a personal account is recommended.
Installing the Boundary Desktop App provides an optional workflow for this tutorial. The 1.2.0 version or above is required for OIDC support.
Installing Terraform 0.13.0 or greater provides an optional workflow for this tutorial. The binary must be available in your
PATH
.
Get setup
In this tutorial, you will test OIDC integrations using HCP Boundary or by running a Boundary controller locally using dev mode.
Start Boundary in dev mode:
$ boundary dev==> Boundary server configuration: [Controller] AEAD Key Bytes: hdcjQ5gegRbttzQ66D5GJjcxB+xtdHzL [Recovery] AEAD Key Bytes: E1/gdhTuDyhsvIm+tkQR0i4m/uSRrd5A [Worker-Auth] AEAD Key Bytes: gwo86AYxBlbPCLsw9lsBzZ4Fd7adcydw [Recovery] AEAD Type: aes-gcm [Root] AEAD Type: aes-gcm [Worker-Auth-Storage] AEAD Type: aes-gcm [Worker-Auth] AEAD Type: aes-gcm Cgo: disabled Controller Public Cluster Addr: 127.0.0.1:9201 Dev Database Container: hardcore_keller Dev Database Url: postgres://postgres:password@localhost:55000/boundary?sslmode=disable Generated Admin Login Name: admin Generated Admin Password: password Generated Host Catalog Id: hcst_1234567890 Generated Host Id: hst_1234567890 Generated Host Set Id: hsst_1234567890 Generated Oidc Auth Method Id: amoidc_1234567890 Generated Org Scope Id: o_1234567890 Generated Password Auth Method Id: ampw_1234567890 Generated Project Scope Id: p_1234567890 Generated Target Id: ttcp_1234567890 Generated Unprivileged Login Name: user Generated Unprivileged Password: password Listener 1: tcp (addr: "127.0.0.1:9200", cors_allowed_headers: "[]", cors_allowed_origins: "[*]", cors_enabled: "true", max_request_duration: "1m30s", purpose: "api") Listener 2: tcp (addr: "127.0.0.1:9201", max_request_duration: "1m30s", purpose: "cluster") Listener 3: tcp (addr: "127.0.0.1:9203", max_request_duration: "1m30s", purpose: "ops") Listener 4: tcp (addr: "127.0.0.1:9202", max_request_duration: "1m30s", purpose: "proxy") Log Level: info Mlock: supported: false, enabled: false Version: Boundary v0.10.3 Version Sha: d9eba38993eb70820a396894f2f1e28601d13c3d Worker Auth Current Key Id: folic-obliged-dude-stroller-skinless-eloquence-legible-dispense Worker Auth Registration Request: GzusqckarbczHoLGQ4UA25uSRm41paoR5HikgcBsCT4PMDFT7StpsFy5xjiWJwxszReKwcfGniKLcdpQto5HjhH3PqmdLU8fdT9kM7RMLiyzLKWdLqVWBhhdUiEy7Re2ConJcGWdHsGK7Th6zVQ3SXjqND3dQ3ytcVtAhdEznJQ58ib6HoMvpMTs66TS5ULCBXxpQ1u2syC6ChNPEPbaSpQd9pKWjPcPRVDjKpMzp6cjw9LZSPxBdadM81f7yS3voWoM5yMciXdUW6rqSMaP1NxRvQUAdhVQsM1ZqGLHNV Worker Auth Storage Path: /var/folders/8g/4dnhwwzx2d771tkklxwrd0380000gp/T/nodeenrollment1533264699 Worker Public Proxy Addr: 127.0.0.1:9202 ==> Boundary server started! Log data will stream in below: { "id": "GypYTtKfJI", "source": "https://hashicorp.com/boundary/localmachine/controller+worker", "specversion": "1.0", "type": "system", "data": { "version": "v0.1", "op": "github.com/hashicorp/boundary/internal/observability/event.(*HclogLoggerAdapter).writeEvent", "data": { "@original-log-level": "none", "@original-log-name": "aws", "msg": "configuring client automatic mTLS" } }, "datacontentype": "text/plain", "time": "2022-09-06T14:14:37.939433-06:00"}...... More log output ......
Leave dev mode running in the current session, and open a new terminal window or tab.
Authenticate to the local Boundary dev server. Enter the password password
when prompted.
$ boundary authenticate password -auth-method-id ampw_1234567890 -login-name adminPlease enter the password (it will be hidden): <password> Authentication information: Account ID: acctpw_1234567890 Auth Method ID: ampw_1234567890 Expiration Time: Wed, 14 Jul 2021 11:38:18 MDT User ID: u_1234567890 The token was successfully stored in the chosen keyring and is not displayed here.
Providers
To enable an OIDC auth method an administrator must first configure their OIDC provider, and then Boundary. The administrator registers Boundary as a new client with their OIDC provider by providing some values unique to their Boundary deployment. The administrator then configures Boundary with unique client information provided by their OIDC provider during registration. These values must match up for OIDC to work.
The administrator will need to provide a list of Boundary callback URLs when configuring the OIDC provider. The callback URLs route to one of the controllers and must begin with 'https', unless Boundary is in dev mode, where the URLs will route to localhost.
Many OIDC providers can be integrated with Boundary. This tutorial demonstrates working with Okta, a popular provider for OIDC.
Get setup with Okta
A customer identity account and sample application are required to setup Okta as an OIDC provider for Boundary. If you don't have a account, sign up for Okta. It is recommended to use a personal account for testing, and to avoid integrating an email address that might already be associated with Okta. A free account is suitable for testing OIDC integration with Boundary.
Create a user
You have the option of creating a dedicated user for testing the OIDC authentication with.
If you want to use the default user, skip user creation and head to the next section on creating an application.
Note
If you choose to create a new Okta user outside of the default account, note that you may need to log out of the administrative account and log in as the new user when authenticating using Boundary later on.
Create an Okta user that will be permitted to log into the application that authorizes Boundary. This is managed using the "Directory" dashboard.
Once signed up, the Okta Admin Dashboard is displayed, or can be visited at the
/admin/dashboard
endpoint for your Okta domain, such ashttps://dev-1944432.okta.com/admin/dashboard
.Open the Directory menu using the sidebar on the left side of the page and click on People.
Click Add person.
Enter the user details, Email and change the Password field to "Set by admin". Then enter the user's password, and Click Save.
The new user's details should be displayed in the People Dashboard.
If using Terraform to provision Boundary, select the newly created user, then copy the URL endpoint (excluding any trailing
#
symbol). This is the user ID. Save this value for defining theoidc_user
subject
later on.
Create an application
An application is what authorizes Okta users added in the previous step to connect with Boundary. After creating an application, its configuration details are used to add the OIDC auth method to Boundary.
Navigate to the Applications view using the sidebar on the left side of the page.
From the Applications view, click the Create App Integration button.
In the "Create a new app integration" popup, select OIDC - OpenID Connect and Web Application and click Next.
From the "Create OpenID Connect App Integration" page, give your application a name. This tutorial calls the application Boundary OIDC Test.
You will also need to provide a Login redirect URIs of
http://localhost:9200
.http://localhost:9200
and a a Logout redirect URIs of
http://localhost:3000
.http://localhost:3000
Scroll down to the Assignments section.
Under Controlled access, select "Skip group assignment for now".
Make sure the fields shown in the screenshot below match your config, and then click Save.
Once saved the browser should redirect to the application settings view. If not, Visit Applications using the navigation bar on the left and select the new application.
Click on the Assignments setting view.
Click Assign and select Assign to People.
In the "Assign Boundary OIDC Test to People" pop-up, click the Assign button next to the user name you want to associate with the application. If you did not create a new user in the previous step, this will be the default Okta login account.
Scroll down to the bottom of the "Assign Boundary OIDC Test to People" form, click Save and Go Back and then Done. The user should now be listed under the Boundary OIDC Test application's "Assignments" tab.
Navigate to the Boundary OIDC Test application's General setting view. Click Edit under the "General Settings" section.
Scroll down to the Login section.
Paste the following callback URL under the Sign-in redirect URIs field.
http://localhost:9200/v1/auth-methods/oidc:authenticate:callback
This value is also printed later on when creating the OIDC method with the Boundary CLI, but is fixed and can be entered into the Okta provider settings ahead of time.
Set the Initiate login URI to the same callback URL value.
Lastly, ensure that the Logout redirect URIs is set to
http://localhost:3000
for this tutorial, because Boundary is running in dev mode.http://localhost:3000
Click Save. Make sure your config matches the image shown below.
Scroll to the top of the Boundary OIDC Test application's General setting view.
Two important values are listed here for use when configuring OIDC with Boundary.
- Client ID
- Client secret
Additionally, you will need the Okta domain for your app. This can be located at the top-right portion of the Okta webpage.
Click the dropdown in the top-right beside your username. Your Okta domain is the value beneath your username, such as:
dev-1944432.okta.com
Keep this page open to refer to these three values in the next steps.
Auth method creation
Authentication is the process of establishing a user's identity. The user initiates this process by selecting an auth method.
When the user selects an OIDC auth method, the user's client sends a request to the system and includes additional data about the client itself. The system then returns two URLs: an OIDC authentication request URL and a Boundary token request URL.
If the user's client is a web browser, the client stores the Boundary token request URL in local storage then redirects the page to the OIDC authentication request URL. If the user's client is not a web browser, the client opens a web browser to the OIDC authentication request URL and begins polling the Boundary token request URL.
The user interacts with the OIDC provider to prove their identity using the browser window opened by the user's client. Once the OIDC provider has authenticated the user's identity, it redirects the browser window back to Boundary. The user's client then retrieves a Boundary token from the request URL.
To get started, an authentication method must be created for the provider of choice.
Create auth method for the provider
To set up a new auth method for your provider you will need the following from your provider's application settings:
- issuer
- client-id
- client-secret
Auth methods can be created using the Admin Console UI, CLI, or using Terraform.
The Boundary Admin Console provides a UI for creating and managing OIDC resources, including auth methods.
Open the Admin Console UI by entering the Dev Controller URL of
http://localhost:9200
into a browser.
Enter the admin username admin
and password password
and click
Authenticate.
For Okta, these settings map to the following:
issuer
-> Okta Domainclient-id
-> Client IDclient-secret
-> Client secret
With these values you gathered from Okta's application settings above a new OIDC auth method can be created.
Start by navigating to the Auth Methods settings view using the menu on the left side of the Admin Console. Select New and click OIDC.
Fill out the form details using the settings gathered from the Okta application settings.
These include:
- Name (Example:
Okta
) - Description (Example:
Okta OIDC test auth method
) - Issuer (Example:
https://dev-1944432.okta.com
) - Client ID (Example:
0oal6fr0tPGZ0DSbr5d9
) - Client Secret (Example:
4BStQlbuTTrh5P-JhGAKW2FVPh48idEbCAOWWVXK
) - Signing Algorthm (Set to RS256) - Click Add
Additionally, set the API URL Prefix as follows:
- API URL Prefix:
http://localhost:9200
API URL Prefix
The API URL Prefix is set to http://localhost:9200
because Boundary is running in dev mode. This URL is used for actions like token retrieval and redirection.
Once the form is completed, click Save.
The new authentication method has now been created. To the right of the new auth method, notice the state is set to Inactive. Before it can be used the new auth method must be switched to an active state.
Next we will review the available authentication states and activate the new OIDC auth method.
Troubleshooting
Troubleshooting: If unable to save the auth method, ensure that the Issuer is prefixed by https://
and does NOT have a trailing /
at the end of the URL.
Authentication states
An OIDC auth method can be in one of several different states: Inactive, Active Private, and Active Public. The current state of an OIDC auth method affects how endpoints respond to requests and, in some cases, whether access to an endpoint requires authentication.
State change operations
- MakeInactive transitions an OIDC auth method from either the Active Private or the Active Public state into the Inactive state.
- MakePrivate transitions an OIDC auth method from either the Inactive or the Active Public state into the Active Private state. If transitioning from the Inactive state, the transition will only succeed if the configuration is valid.
- MakePublic transitions an OIDC auth method from either the Inactive or the Active Private state into the Active Public state. If transitioning from the Inactive state, the transition will only succeed if the configuration is valid.
Three different states exist for an authentication method:
inactive
users can not authenticate with inactive auth methods and the inactive auth methods are not listed for unauthenticated users.active-private
users can authenticate with active-private auth methods and active-private auth methods are not listed for unauthenticated users.active-public
users can authenticate active-public auth methods and active-public auth methods are listed for unauthenticated users.
Before changing the state of an auth-method, Boundary will retrieve the Provider’s discovery document for the auth method’s issuer and attempt to validate the auth-method’s configuration against this published information. If Boundary is unable to validate the configuration an error is returned and the state change is not made.
If a change is made from active-public or active-private to inactive, all in-flight authentications will succeed unless the auth method’s configuration is modified while the request is in-flight.
When changing an auth method's state using boundary auth-methods change-state
the -disable-discovered-config-validation
flag is used to disable validation
against the provider’s published discovery document. This allows for the very
rare occurrence when the Provider has published an invalid discovery document.
Activate the OIDC auth method
Now that a new OIDC method has been created, it can be activated and assigned as the default login type for the global scope.
Currently the login type is set as inactive, and won't allow authentication.
$ boundary authenticate oidc -auth-method-id amoidc_oHt4HQFCrNError from controller when performing authentication start Error information: Kind: Internal Message: authmethod_service.(Service).authenticateOidcStart: Error generating parameters for starting the OIDC flow.: unknown: error #500 Status: 500 context: Error from controller when performing authentication start
Auth methods can be activated using the Admin Console UI, CLI, or using Terraform.
Before the new auth method will be allowed it must be set to an active state.
Under the settings for the new auth method, select Inactive from the menu in the upper-right side of the page and change its state by clicking Public.
The login type will now allow be allowed.
Set OIDC as primary login
Global and organization scopes may have auth methods in Boundary, and each scope has one primary auth-method ID. Boundary will automatically create a user upon first successful authentication using the scope’s primary auth method, which will be used by scopes with only one auth method available.
When migrating the database, Boundary will produce a log of any auth methods which resulted in no primary auth method being set for the scope.
Set the new OIDC auth method as the primary auth method for the global scope.
Under the settings for the new auth method, select Manage from the menu in the upper-right side of the page.
A confirmation window will be displayed to inform you that new users that sign in using OIDC will automatically be added to the new auth method. Select OK to continue.
Now try authenticating using the newly created OIDC auth method.
Select the admin user menu in the top-right corner of the page and select Deauthenticate.
Next, select the new auth method called Okta, and click Authenticate.
A browser tab should automatically open and prompt you to log in with your Okta user account credentials.
Login Issues
If you experience any issues logging into Okta, such as a 400 Bad Request error, you may be logged into the wrong Okta account. Visit the Okta Dashboard, select your username in the upper-right corner of the window and click Sign Out. Then, revisit the previously opened Authenticate Boundary browser tab and click Retry to log back into Okta with the new user account credentials.
After successful authentication you are automatically redirected to the Admin Console. Notice the restricted permissions for this new user, which can be updated and assigned using Roles and Groups.
If you were to log back into the Admin Console as the admin user, you would notice the new OIDC user has automatically been added under the Users view.
Next you will review the various methods that can be used to authenticate to Boundary using the new OIDC auth method.
Authenticate using OIDC
With the OIDC provider configured, Boundary users can authenticate using the CLI, Admin Console or Boundary Desktop app. Boundary administrators will usually follow a CLI or Admin Console workflow, while clients and end-users can use the CLI or Desktop application.
The Boundary Desktop app is currently available for MacOS and Windows users.
Launch the Boundary Desktop app and enter the Boundary Cluster URL.
Launch the Boundary Desktop app and enter
http://localhost:9200
as the Cluster URL, then click Submit.Select Okta and click Authenticate.
A browser window should launch and prompt for your provider's user credentials. You may see an "Authentication Pending" message, and can click the "Retry" button to force a new authentication tab to open.
Submit your OIDC provider user credentials.
You should receive a "Successful Authentication" message.
Once authenticated, open the Boundary Desktop app again and verify the authenticated user in the upper-right corner of the application window.
It is expected for this user to be unprivileged, and to be denied access to view targets and sessions. The OIDC user could be updated to include new privileges if an admin user assigns it to a role.
You have now completed OIDC integration with the Boundary Desktop app.
Cleanup and teardown
Warning
If you plan on completing the Manage IdP Groups tutorial, leave the current configuration running. Successful completion of this tutorial is a pre-requisite for the Manage IdP Groups tutorial.
If you are not continuing on to the next tutorial, tear down the environment:
1. Stop Boundary dev mode
Locate the shell where boundary dev
was run and enter ctrl+c
to stop dev
mode.
^C==> Boundary dev environment shutdown triggered[INFO] worker: status ticking shutting down[INFO] controller: terminating completed sessions ticking shutting down[INFO] controller: closing expired pending tokens ticking shutting down[INFO] controller: status ticking shutting down[INFO] controller: recovery nonce ticking shutting down
2. Delete any sample applications from your OIDC provider.
This tutorial provided steps for configuring an Okta sample applications as Boundary auth methods. Revisit the provider settings and delete any sample applications you no longer need.
3. Delete any test users from your OIDC provider.
This tutorial created sample users within Okta to authenticate using the CLI, Admin Console or Desktop app. Revisit the Okta settings and remove any test users created for this tutorial.
4. Delete any test client secrets from your OIDC provider.
This tutorial may have created client secrets within Okta. Revisit the provider settings and remove any client secrets created for this tutorial.
Next steps
This tutorial demonstrated the steps to add an OIDC authentication method and create a new user. You set up a provider application to authenticate with Boundary, and verified that you can authenticate using the newly created user.
Next, check out the Manage IdP Groups tutorial to learn about automatically managing group membership claims with OIDC auth methods.
To learn more about the basics of managing user accounts, check out the Manage Users and Groups and Manage Roles tutorials.