8.10.1 Integrate with Okta

Below you can find a step by step tutorial on how to integrate Okta IdP with MetaDefender Vault using the OpenID Connect protocol.

  1. Sign into Okta and navigate to admin dashboard

  2. Go to Applications and select Add application

  3. Choose Web application type and click Next

  4. Let’s configure the application settings. Give the application a name like for example “Vault App”.

  5. Base URI should point to the location of the Vault machine

  6. To find the Login redirect URI

    1. Go to MetaDefender Vault web console and navigate to Settings → Single Sign-On

    2. Turn on Enable Single Sign-On

    3. Don’t turn on Ignore Certificate Issues as Okta will provide a trusted certificate

    4. Turn on Load User Profile such that MetaDefender Vault can acquire the following claims

      1. name

      2. email

      3. preferred_username

      4. given_name

      5. family_name

    5. Authority should point to your Okta Org. URL. You can find this URL in the Okta dashboard

    6. IP Address or Domain should point to the location of your Vault instance. Once you fill this information, Vault will automatically generate the Redirect URI

    7. Copy the Redirect URI and go back to the Okta Application Settings and paste it (step 6)

  7. You should now have a configuration similar to this:

  8. Logout redirects URIs do not need to be configured as Vault doesn’t support single log out for the moment.

  9. You can configure Group assignments as desired

  10. Grant type allowed: please make sure that Authorization Code is checked

  11. Click Done to finish the process of creating an OKTA app.

  12. You will be redirected to the app that you just created. On the General tab, scroll down to the Client Credentials section

  13. Copy the Client ID and Client secret so we can enter them in MetaDefender Vault SSO configuration.

  14. Administrator Emails: if some of the Okta users should have administrative rights in Vault, please enter a list of emails in this field. MetaDefender Vault will compare the email of users that login from Okta against the provided list to determine if a user should be an administrator

  15. You don’t need to specify additional integration scopes

  16. If everything is ready, click Update.

  17. Log out of MetaDefender Vault

  18. You will notice that there is a new LOGIN WITH SSO button on the login page

  19. Click LOGIN WITH SSO. You should be redirected to Okta to login. Once logged in, you will be redirected back to MetaDefender Vault and automatically logged in.