Okta Integration with Sensu Server

1.0 Introduction

The purpose of this guide is to describe steps to integrate Sensu server with Okta for Open ID Connect (OIDC) based authentication.

2.0 Integration Steps

This section describes how to configure Okta, Sensu, and test the integration.

2.1 Configuration in Okta

  1. Log in to the Okta admin console and go to Applications.
  2. Click the App Integration option.
    1. Select the OIDC option as the Sign-in method.
    2. Select Web Application as the Application type. App_integration_SensuOkta.png
      Figure 1: App integration options
    3. Click Next.
  3. On the New Web App Integration page, fill in the following information:
    1. App integration name- Typesensuas the value.
    2. Grant type- Select the Refresh Token option.
    3. Sign-in redirect URIs- http://<api-url>/authorization-code/callback
      Where, the <api url> for sensu is <<serverip>:8080> generally.
    4. Assignments- Select the Skip group assignment for now option.
  4. Click Save. WebApp_integration_SensuOkta.png
    WebApp_integration1_SensuOkta.png
    Figure 2: Web app integration options
  5. A new Web App Integration is now created. Click the app, and copy the Client ID, Client secret, and Okta domain to the notepad. ClientCredentials_SensuOkta.png
    Figure 3: Copy client credentials
  6. Next, click the Assignments tab and add people/group assignments as required. Assignments_SensuOkta.png
    Figure 4: Add people and group assignments

2.2 Configuration in Sensu

  1. Create an oidc.yml file with all the information.
    Here is a sample oidc.yml file:
    type: oidc
    api_version: authentication/v2
    metadata:
    name: okta
    spec:
    additional_scopes:
    - email
    - groups
    client_id: 0oael74dwhAImBVfk696
    client_secret: tfbocOodGFnxefgydm4yFSjDSLvpw_mv41vI1QLM
    redirect_uri: http://54.151.121.234:8080/api/enterprise/authentication/v2/oidc/callback
    server: https://fortanixsdkms.okta.com
    disable_offline_access: false
    username_claim: email
    group_claim: groups
    username_prefix: 'oidc:'
    group_prefix: 'oidc:'
    Where,
  2. Next, create OIDC authentication using the following command:
    sensuctl create –-file oidc.yml
    Check if the OIDC authentication is created using the following command:
    sensuctl auth list
  3. Now create a role and do role-binding for the user/group:
    For example, if you are creating a read-only role for a user- rose.bush@fortanix.com.
    Create a read-only role:
    sensuctl role create readonlyuser --namespace default --resource=checks,entities,events --verb=get,list
    Create a role binding on the user:
    sensuctl role-binding create rbokta --user oidc:rose.bush@fortanix.com --role readonlyuser --namespace default

2.3 Test the Integration

  1. Log in to the Sensu app and click SIGN-IN WITH OKTA button. OktaSignin_SensuOkta.png
    Figure 5: Sign in with Okta
  2. After you are logged in as an Okta user, you should be able to view the Sensu dashboard with the required “view” privileges. Dashboard_SensuOkta.png
    Figure 6: Sensu dashboard

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful