Okta Integration with Sensu Server

1.0 Introduction

The purpose of this guide is to describe steps to integrate Sensu server with Okta for Open ID Connect (OIDC) based authentication.

2.0 Integration Steps

This section describes how to configure Okta, Sensu, and test the integration.

2.1 Configuration in Okta

  1. Log in to the Okta admin console and go to Applications.

  2. Click the App Integration option.

    1. Select the OIDC option as the Sign-in method.

    2. Select Web Application as the Application type.  

      App_integration_SensuOkta.png

      Figure 1: App integration options

    3. Click Next.

  3. On the New Web App Integration page, fill in the following information:

    1. App integration name- Typesensuas the value.

    2. Grant type- Select the Refresh Token option.

    3. Sign-in redirect URIs- http://<api-url>/authorization-code/callback
      Where, the <api url> for sensu is <<serverip>:8080> generally.

    4. Assignments- Select the Skip group assignment for now option.

  4. Click Save.  

    WebApp_integration_SensuOkta.png

    WebApp_integration1_SensuOkta.png

    Figure 2: Web app integration options

  5. A new Web App Integration is now created. Click the app, and copy the Client ID, Client secret, and Okta domain to the notepad.  

    ClientCredentials_SensuOkta.png

    Figure 3: Copy client credentials

  6. Next, click the Assignments tab and add people/group assignments as required.  

    Assignments_SensuOkta.png

    Figure 4: Add people and group assignments

2.2 Configuration in Sensu

  1. Create an oidc.yml file with all the information.
    Here is a sample oidc.yml file:

    type: oidc
    api_version: authentication/v2
    metadata:
      name: okta
    spec:
      additional_scopes:
      - email
      - groups
      client_id: 0oael74dwhAImBVfk696
      client_secret: tfbocOodGFnxefgydm4yFSjDSLvpw_mv41vI1QLM
      redirect_uri: http://54.151.121.234:8080/api/enterprise/authentication/v2/oidc/callback
      server: https://fortanixsdkms.okta.com
      disable_offline_access: false
      username_claim: email
      group_claim: groups
      username_prefix: 'oidc:'
      group_prefix: 'oidc:'

    Where,

  2. Next, create OIDC authentication using the following command:

    sensuctl create –-file oidc.yml

    Check if the OIDC authentication is created using the following command:

    sensuctl auth list
  3. Now create a role and do role-binding for the user/group:
    For example, if you are creating a read-only role for a user- [email protected].
    Create a read-only role:

    sensuctl role create readonlyuser --namespace default --resource=checks,entities,events --verb=get,list

    Create a role binding on the user:

    sensuctl role-binding create rbokta --user oidc:[email protected] --role readonlyuser --namespace default

2.3 Test the Integration

  1. Log in to the Sensu app and click SIGN-IN WITH OKTA button.  

    OktaSignin_SensuOkta.png

    Figure 5: Sign in with Okta

  2. After you are logged in as an Okta user, you should be able to view the Sensu dashboard with the required “view” privileges.  

    Dashboard_SensuOkta.png

    Figure 6: Sensu dashboard