OKTA

Warning

This feature is currently in Beta.

Introduction

In this article, you’ll learn how to integrate OKTA with an Acreto Ecosystem. The OKTA integration allows your Acreto Ecosystem to utilize the user credentials managed by OKTA to connect to the Ecosystem using Acreto TLS Client.

It uses the LDAPS (LDAP Secure) protocol and the OKTA LDAP Interface which can be deployed on the OKTA account.

Steps

This process involves the following steps:

  1. Enable OKTA LDAP Interface
  2. Configure Acreto Ecosystem
  3. Define Security Policies
  4. Test the integration

How OKTA integration works

The integration uses the LDAP service account credentials to retrieve the user’s distinguished name (DN) from the LDAP server. Given the user’s DN value, the integration then reconnects with LDAP using the user’s DN and password.

In the diagram below, you can see the communication flow between some Employee (trying to connect to the Ecosystem using Acreto TLS Client), Acreto Ecosystem and Azure AD.

sequenceDiagram
    Employee->>Ecosystem: Hello Ecosystem, can I connect? Here is my password.
    Ecosystem->>OKTA LDAP Interface: Hello OKTA, can Employee connect? Here is Employee's password.
    OKTA LDAP Interface->>OKTA API: Let me know if these credentials are correct.
    OKTA API->>OKTA LDAP Interface: Yes, they are.
    OKTA LDAP Interface->>Ecosystem: Sure, let the Employee in!
    Ecosystem->>Employee: Welcome!
Info

The integration never stores users passwords (except the password provided during Identity Provider configuration).

The integration uses a read-only connection that never writes to the OKTA. It only queries for information.

Limitations

  1. All authentication requests originate from Acreto Ecosystem addresses. Therefore, it’s not possible to implement granular network-based access control on OKTA. See relevant article in OKTA documentation.

  2. We recommend using OKTA Verify Push Verification method for multifactor authentication. If you want to use other methods, see Use multifactor authentication with the LDAP Interface.

Prerequisities

To proceed with setting OKTA for Acreto Ecosystems, you need:

  1. OKTA account with admin rights
  2. Create and login to Acreto Ecosystem

You should also be familiar with:

  1. Acreto Identity Providers Overview
  2. OKTA documentation: Set up and manage the LDAP Interface

How To

Step 1: Enable OKTA LDAP Interface

To configure your OKTA account, you need to enable the OKTA LDAP Interface. Please go through the following procedures:

  1. Enable OKTA LDAP Interface
  2. Read OKTA LDAP configuration details:
    1. In the Admin Console, go to Directory(1) > Directory Integrations(2).
    2. Select LDAP Interface(3)
    3. Note displayed information
  3. Create OKTA Third-Party Administrator account with read-only administrator role. This administrator account will be used by Acreto Ecosystem to authenticate with OKTA.
Tip

Ensure that created Third-Party Administrator account will not be challenged with OKTA Multifactor Authentication for requests originating from your Ecosystem IP addresses. You also need to whitelist the following addresses on your server section of the Identity Provider creation page in step 2.

Step 2: Configuration of Acreto Ecosystem

  1. Add New Identity Provider

    To add a new Identity Provider:

    1. Select Objects and Identity Providers from the left menu.
    2. Click on “Add New”.
    3. Fill in the following information:
      1. Name and Description
      2. Host, User Base DN, Group Base DN - as provided on OKTA LDAP Interface settings screen
      3. Username and Password - credentials of the OKTA Third-Party Administrator account created in step 1
    4. Save your changes.
  2. Create Security Policy to allow traffic sent by your users

    When you create a new Identity Provider, a new Profile Group is created with a name containing Identity Provider name, for example: Identity Provider LDAP001 (fa45). By default, all users authenticated with this Identity Provider are assigned to that Profile Group.

    To allow traffic from your users using that Identity Provider, select this Profile Group in the Source field of Security Policy. For detailed instructions on creating a Security Policy, see Create first security policy.

  3. Commit your changes

Step 3: Testing

To test the integration:

  1. Generate Onboarding Portal Link
  2. Open generated Onboarding Portal Link and follow the instructions
  3. Connect to your ecosystem providing username and password managed by OKTA

To get more information about end-user onboarding experience, see onboarding documentation

Next steps

  1. Customize your security policies
  2. Define mappings of LDAP groups to Identity Provider groups
  3. Send invitations to your users

Summary

Thanks to Acreto and OKTA Identity Provider Integration, users can connect to an Acreto Ecosystem with the same credentials utilized for other internal resources on their network domain.

See also

  1. OKTA documentation:Set up and manage the LDAP Interface