Skip to main content

Getting Started with the Illumio Console

Using Okta to Add External Groups

Prerequisites: Create an account on Okta, and create an authorization application there for your Illumio Console instance. For details, see Configuring Okta as an IdP.

Note

When you create your Okta authorization application for your Illumio Console instance, make sure to copy and save the Client ID and Issuer URL values that are generated for your Okta application.

When you add an authorization server to your Okta application, make sure to add the following claims to its ID token (at Security > API > Add Authorization Server under the Claims tab):

  • groupNames (with value type Groups)

  • firstName (with value type Expression, and value user.firstName)

  • lastName (with value type Expression, and value user.lastName)

Follow this workflow to configure Okta as the IdP for your external groups:

Create a Group in Okta

  1. Log into your Okta application

  2. Go to Directory > Groups.

  3. Click Add Group.

  4. Enter a Name and an optional Description.

    add_group.png

    Use this Okta application group Name when you add this external group to your Illumio Console.

  5. Click Save.

Add a User and Assign the User to an Okta Group

Log into your Okta application and add users into your Okta group.

  1. Go to Directory > People.

  2. Click Add Person.

  3. At the Add Person popup, enter the user details, and click Save.

    You can continue to add users by clicking Save and Add Another.

  4. Click Directory > Groups.

  5. Click the new group you just created in Create a Group in Okta.

  6. Click the People tab, and assign people.

  7. Use Search to find the new user or users you created and click Assign people to assign them to this group.

Assign the Application to an Okta group

Important

Prerequisite: Make sure you have already created an enterprise application in Okta for your Illumio Console instance.

  1. Click Directory > Groups.

  2. Click the group that you created in Create a Group in Okta.

  3. Click the Applications tab.

  4. Click Assign Applications.

  5. Use Search to find your application and click Assign applications.

  6. Click Done.

Configure OIDC in the Illumio Console Authentication Settings

The first action at Illumio Console is to configure the Console for Okta as an OIDC-compliant IdP.

  1. Log into Illumio Console.

  2. Click Access > Authentication.

  3. Click OIDC Authentication.

  4. In Identity source, choose Okta.

  5. Under Information for Identity Providers, enter details for this Okta configuration:

    ic_oidc_authentican.png

    1. Client ID - Enter the Client ID generated by Okta when you created your Okta Application for Illumio Console.

    2. Issuer URL Enter the Issuer ID generated by Okta when you created your Okta Application for Illumio Console.

    3. Scope - You must enter openid email profile groups.

    4. Token request - Choose From Illumio Console server.

    5. Client secret

    6. IdP Logout

  6. Click Save.

Add an External Group to Illumio Console and Specify Claims

Next, add the specific Okta group as a Console external group.

  1. Log into Illumio Console.

  2. Click Access > External Groups.

  3. Click Add.

  4. Enter the external user group details.

    ic_add_external_group.png

    1. Name - Enter a name for this external group as it will appear in your Illumio Console. This is not the name you gave the group in Okta.

    2. Claim - Enter the group Name you entered when adding the group to your Okta application.

    3. Roles (optional)

    4. Scope (optional)

    5. Click Save.