1.0 Introduction
The purpose of this guide is to describe steps to integrate Sensu server with Okta for Open ID Connect (OIDC) based authentication.
2.0 Integration Steps
This section describes how to configure Okta, Sensu, and test the integration.
2.1 Configuration in Okta
Log in to the Okta admin console and go to Applications.
Click the App Integration option.
Select the OIDC option as the Sign-in method.
Select Web Application as the Application type.
Figure 1: App integration options
Click Next.
On the New Web App Integration page, fill in the following information:
App integration name- Type
sensu
as the value.Grant type- Select the Refresh Token option.
Sign-in redirect URIs- http://<api-url>/authorization-code/callback
Where, the <api url> for sensu is <<serverip>:8080> generally.Assignments- Select the Skip group assignment for now option.
Click Save.
Figure 2: Web app integration options
A new Web App Integration is now created. Click the app, and copy the Client ID, Client secret, and Okta domain to the notepad.
Figure 3: Copy client credentials
Next, click the Assignments tab and add people/group assignments as required.
Figure 4: Add people and group assignments
2.2 Configuration in Sensu
Create an
oidc.yml
file with all the information.
Here is a sampleoidc.yml
file:type: oidc api_version: authentication/v2 metadata: name: okta spec: additional_scopes: - email - groups client_id: 0oael74dwhAImBVfk696 client_secret: tfbocOodGFnxefgydm4yFSjDSLvpw_mv41vI1QLM redirect_uri: http://54.151.121.234:8080/api/enterprise/authentication/v2/oidc/callback server: https://fortanixsdkms.okta.com disable_offline_access: false username_claim: email group_claim: groups username_prefix: 'oidc:' group_prefix: 'oidc:'
Where,
client_id
,client_secret
andserver
are from Okta. Refer to Step 5 in the Section: Configuration in Okta.Redirect_uri
is the value provided in Step 3c in Section: Configuration in Okta.
Next, create OIDC authentication using the following command:
sensuctl create –-file oidc.yml
Check if the OIDC authentication is created using the following command:
sensuctl auth list
Now create a role and do role-binding for the user/group:
For example, if you are creating a read-only role for a user- [email protected].
Create a read-only role:sensuctl role create readonlyuser --namespace default --resource=checks,entities,events --verb=get,list
Create a role binding on the user:
sensuctl role-binding create rbokta --user oidc:[email protected] --role readonlyuser --namespace default
2.3 Test the Integration
Log in to the Sensu app and click SIGN-IN WITH OKTA button.
Figure 5: Sign in with Okta
After you are logged in as an Okta user, you should be able to view the Sensu dashboard with the required “view” privileges.
Figure 6: Sensu dashboard