Skip to main content

Getting Started with the Illumio Console

Configuring Okta as an IdP

Follow these steps to configure Okta as an external identity provider (IdP) via OIDC in your llumio Console instance. Okta can be used as an IdP for both local users and external groups in Illumio Console.

  1. Log into your Okta account.

  2. From the left navigation pane, click Applications > Applications.

  3. At the Applications page, click Create App Integration.

  4. In the Create a new app integration popup:

    1. For Sign-in method, choose OIDC - OpenID Connection.

    2. For Application type, choose Single-Page Application.

    Click Next.

  5. Under the Login section, click Add URI, and enter the Sign-in redirect URI as https://console.illum.io/*, making sure to append the asterisk wildcard.

    okta_sign-in_redirect.png

    This value is used by Okta to allow a browser redirect from the Illumio application to Okta.

  6. Select your Granted Access.

  7. Click Save.

  8. Scroll to the bottom of the page, and under the Assignments section, disable Federation Broker Mode by clearing the checkbox.

    okta_federation_broker.png

    Click Continue at the Disable Federation Broker Mode? confirmation popup.

  9. Click Save at the bottom of the page to save your authorization application.

  10. On the details page for your new application, the General tab now shows the Client ID and Issuer ID values for the application. The Issuer URI consists of the Issuer ID with "https://" added in front of it. In the example shown below, the Issuer URI is https://trial-8581813.okta.com.

    okta_issuer_id.png

    Copy the Client ID and Issuer URI values because you must enter them when you finish configuring the authentication at the Illumio Console OIDC page (Access > Authentication). See Authenticating Users with OIDC. You will also use the Client ID when you update the Authorization Server for this application, later in this procedure.

Additional information about your OIDC Application (or assigning users to your Okta IdP App for Illumio Console)

After creating and configuring an Okta App to serve as an IdP for your Illumio Console instance, you can assign People and Groups to the app. These appear in Illumio Console as external users and external groups, respectively.

  1. At your Okta application details page (Applications > Applications), click Assignments.

  2. List people to add. Either click People under the Filters heading , or click the Search field, Choose People from pull-down menu and enter a specific name in Search.

  3. Assign the Everyone group to your Okta app.

    You must assign the Everyone group, to ensure the People type of Individual can properly access the application, and therefore access the Illumio Console it is configured to.

Update Authorization Server

  1. In left navigation pane, go to Security > API.

  2. Click Authorization Servers tab.

  3. Click Add Authorization Server.

  4. Click the pencil icon to edit the default API.

  5. On the details page for the default API, at the Settings tab, enter in the Audience field the Client ID value of your OIDC application you created earlier.

  6. Click Save.

  7. Click Claims tab, to add the following claims to the ID token:

    1. Add groupNames claim, with value type Groups.

    2. Add firstName claim, with value type Expression, and value user.firstName.

    3. Add lastName claim, with value type Expression, and value user.lastName.

Add a Trusted Origin

  1. In left navigation pane, go to Security > API.

  2. Click Trusted Origins tab.

  3. Under Filters, choose Redirect.

  4. At the Add Origin popup, complete the following entries:

    1. Origin Name -- of your Okta app

    2. Origin URL -- https//www.illium.io

    3. Cross-Origin Resource Sharing (CORS) -- Enable

    4. Redirect -- Enable

  5. Click Save.