Okta SSO Setup

This feature requires an Enterprise license. To upgrade, contact Redpanda sales.

Integrating Redpanda Console with Okta allows your users to use their Okta identities to sign in to Redpanda Console. This guide is based on the assumption that you already have an Okta account and permissions to create applications within your organization.

Create an OpenID connect application

Refer to the Okta guide to create an application integration for Redpanda Console. As you follow the guide to create the Okta integration, use the following inputs when prompted:

The following configurations are based on the assumption that you want to host Redpanda Console so that it is accessible using https://console.yourcompany.com.
  • Redirect URI: https://console.yourcompany.com/login/callbacks/okta

  • Logout Redirect URI: https://console.yourcompany.com

  • Sign-in method: OIDC - Open ID Connect / Application type: Web Application

  • Assignments: Select groups that shall be able to use Redpanda Console (authorization can be made more granular using Redpanda Console’s RBAC system)

When you create the Okta application you should be able to access the application’s client credentials (client ID and client secret). Put the following credentials into your Redpanda Console configuration:

login:
  enabled: true

  # jwtSecret is a random string of at least 10 characters that must be the same for all Console instances.
  # This string is used to sign and validate the user session JSON Web Tokens (JWT).
  # If this string changes, logged-in Console users will be logged out and will have to initiate a
  # new session by logging in again.
  jwtSecret: ""

  okta:
    enabled: true
    # URL to the OIDC endpoint, e.g. "https://yourcompany.com.okta.com"
    url: ""
    clientId: ""
    # ClientSecret is sensitive. You can provide this config also via the
    # the environment variable LOGIN_OKTA_CLIENTSECRET
    clientSecret: ""
    # The directory config is only required if you want to use Okta
    # groups in your role bindings. Described further in the next section.
    # directory:
    #   apiToken: ""

RBAC Okta groups sync

If you want to bind roles to Okta groups, you must set up an API token in Okta so that Redpanda Console can retrieve groups and their memberships using the Okta API. To create an API token, refer to the Okta guide. After completing the steps in the guide, insert the created API token into the configuration:

login:
  okta:
    # The directory config is only required if you want to use Okta
    # groups in your role bindings.
    directory:
      apiToken: ""

Define role bindings

After setting up the Okta login configuration, you can bind Okta users or groups to roles. Following is a sample role binding:

roleBindings:
  - metadata:
      name: Developers
    subjects:
      - kind: group
        provider: Okta
        name: 00qri1afoAa12G9js04x6 # Okta group id
      - kind: user
        provider: Okta
        name: joe@yourcompany.com # Okta user login
    roleName: editor