Configuring Okta integration with Venafi as a Service¶
If Okta is your SSO solution, this topic shows you how to configure Okta to integrate with Venafi as a Service™ (Venafi as a Service).
Because you'll be making changes in both the Okta Admin portal and Venafi as a Service, you'll complete the configuration faster if you open both user interfaces side-by-side.
You'll perform three basic tasks:
- Configuring Okta to work with Venafi as a Service
- Testing the connection between Venafi as a Service and Okta
- Adding a Groups claim (Optional)
Configuring Okta to work with Venafi as a Service
Open the Okta Admin portal and create a new application. Select Web as the platform and choose OpenID Connect as the sign-on method.
In General Settings, type Venafi as a Service as the application name.
(Optional) Upload this logo file if you plan on making the application visible to users on the Okta portal page:
- Under Configure OpenID Connect, fill in the Login redirect URIs field with the log in URL from the Venafi as a Service SSO configuration page.
- Save the new application.
- (Optional) If you want to publish the Venafi as a Service application on the Okta portal, do the following:
- Set Login initiated by to Either Okta or App.
- Under Application visibility, select Display application icon to users.
- Leave Login flow as OIDC Compliant.
Set Initiate login URI to the SSO Login URL.
In Client Credentials, copy the Client ID and Client Secret values and paste them into the Venafi as a Service SSO Configuration page.
- Click the Sign On tab of the Venafi as a Service application.
- Under OpenID Connect ID Token, copy the Issuer value and paste it into the Issuer field of the Venafi as a Service SSO Configuration page.
You are now done configuring the Venafi as a Service application in Okta.
The next step is to test your connection.
Testing the connection between Venafi as a Service and Okta
From the Venafi as a Service SSO Configuration page, click Test connection.
Type your enterprise credentials into Okta.
When the authentication succeeds, you're redirected back to the Venafi as a Service SSO Configuration page. From there, you can view the claims that were returned in the OIDC token issued by Okta. 1. Save your SSO configuration.
Your users can now sign in using their SSO credentials.
Adding a Groups claim (Optional)
Adding a Groups claim in Okta allows group membership information to be sent to Venafi as a Service. While Venafi as a Service doesn't yet utilize group membership information, upcoming releases of Venafi as a Service include new features and functionality that will improve the way you define and manage users and groups. Of course, it's up to you!
To configure a Groups claim for sending group information to Venafi as a Service¶
In the Okta Admin portal, click the Sign On tab for the Venafi as a Service application you created earlier.
Configure Groups claim type with either Filter or Expression, depending on how you have your user groups configured in Okta.
It's a good idea to consult your Okta documentation and configure the Groups claim to return all groups to which a user is a member (both locally in Okta, as well as any Active Directory mastered groups, when applicable). Refer to this Okta KB article.
In Venafi as a Service, from the Venafi as a Service SSO Configuration page, under Scopes, add the groups scope so that Venafi as a Service will request the Groups claim.