Docs Self-Managed Manage Redpanda Console Configuration Security Authentication Okta You are viewing the Self-Managed v24.3 beta documentation. We welcome your feedback at the Redpanda Community Slack #beta-feedback channel. To view the latest available version of the docs, see v24.2. Okta SSO Setup This section pertains to Redpanda Console in a self-managed deployment, and this feature requires an Enterprise license. To upgrade, contact Redpanda sales. If Redpanda Console has enterprise features enabled and it cannot find a valid license either in its local configuration or in the connected Redpanda cluster, it shuts down. Integrating Redpanda Console with Okta allows your users to use their Okta identities to sign in to Redpanda Console. This guide is based on the assumption that you already have an Okta account and permissions to create applications within your organization. Create an OpenID connect application Refer to the Okta guide to create an application integration for Redpanda Console. As you follow the guide to create the Okta integration, use the following inputs when prompted: The following configurations are based on the assumption that you want to host Redpanda Console so that it is accessible using https://console.<your-company>.com. Redirect URI: https://console.<your-company>.com/login/callbacks/okta Logout Redirect URI: https://console.<your-company>.com Sign-in method: OIDC - Open ID Connect / Application type: Web Application Assignments: Select groups that are authorized to use Redpanda Console (authorization can be made more granular using Redpanda Console’s RBAC system) Edit the console configuration file Edit the console configuration file associated with your deployment method and incorporate the details from your client application. For example, Kubernetes deployments use the values.yaml file. Linux deployments use the redpanda-console-config.yaml file, which is in /etc/redpanda. When you create the Okta application, you should be able to retrieve the application’s client ID and client secret and put them in your Redpanda Console configuration. login: enabled: true # jwtSecret is the secret key you must use to sign and encrypt the JSON # web token used to store user sessions. This secret key is # critical for the security of Redpanda Console's authentication and # authorization system. Use a long, complex key with a combination of # numbers, letters, and special characters. The minimum number of # characters is 10, but Redpanda recommends using more than 32 # characters. For additional security, use a different secret key for # each environment. jwtSecret can be securely generated with the following # command: LC_ALL=C tr -dc '[:alnum:]' < /dev/random | head -c32 # # If you update this secret key, any users who are # already logged in to Redpanda Console will be logged out and will have # to log in again. jwtSecret: "" okta: enabled: true # URL to the OIDC endpoint; for example, "https://<your-company>.okta.com" url: "" clientId: "" # ClientSecret is sensitive. You can also provide this config by setting # the environment variable LOGIN_OKTA_CLIENTSECRET. clientSecret: "" # The directory config is only required if you want to use Okta # groups in your role bindings. This is described further in the next section. # directory: # apiToken: "" RBAC Okta groups sync To bind roles to Okta groups, you must set up an API token in Okta so that Redpanda Console can retrieve groups and their memberships using the Okta API. To create an API token, refer to the Okta guide. After completing the steps in the guide, insert the created API token into the configuration: login: okta: # The directory config is only required if you want to use Okta # groups in your role bindings. directory: apiToken: "" Define role bindings After setting up the Okta login configuration, you can bind Okta users or groups to roles. Following is a sample role binding: roleBindings: - metadata: name: Developers subjects: - kind: group provider: Okta name: 00qri1afoAa12G9js04x6 # Okta group id - kind: user provider: Okta name: joe@yourcompany.com # Okta user login roleName: editor Suggested labs Enable Plain Login Authentication for Redpanda ConsoleSearch all labs Back to top × Simple online edits For simple changes, such as fixing a typo, you can edit the content directly on GitHub. Edit on GitHub Or, open an issue to let us know about something that you want us to change. Open an issue Contribution guide For extensive content updates, or if you prefer to work locally, read our contribution guide . Was this helpful? thumb_up thumb_down group Ask in the community mail Share your feedback group_add Make a contribution Keycloak Plain