Okta Authentication in Vault using OpenID Connect (OIDC)

  1. The Okta auth method does not support all MFA methods, only Okta Push Verify
  2. It requires Vault have access to an Okta API token
  3. It doesn’t allow you to assign users to Vault as an Okta chicklet
Demo of logging into Vault using Okta OIDC

0. OpenID Connect 101

Open ID Connect Protocol
Sample JWT from jwt.io

1. Users and Groups

2. Okta Authorization Server

Configuration for new Access Policy Rule
Adding groups claim to ID token

3. Vault Okta Application

ID Token preview

Configuring Vault using Terraform

export VAULT_ADDR=https://<vault-domain>:8200
terraform apply

Logging in with the CLI

http://localhost:8250/oidc/callback
vault login -method=oidc -path=okta_oidc role=okta_admin

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store