mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-06 12:47:37 +00:00
docs: Generic okta idp (#6551)
* docs: OKTA idp * docs: change generic oidc provider to okta * docs: remove old generic docs
This commit is contained in:
parent
66075bf788
commit
d4ab9fb926
@ -0,0 +1,8 @@
|
||||
The Generic OIDC Provider allows you to configure any OIDC compliant identity providers.
|
||||
|
||||
The following information you need to fill out by yourself:
|
||||
|
||||
<li><b>Name</b> {props.name}</li>
|
||||
<li><b>Issuer</b> {props.issuer}</li>
|
||||
<li><b>Client-ID</b> {props.clientid}</li>
|
||||
<li><b>Scopes</b>: (openid, profile, email is preconfigured)</li>
|
@ -6,4 +6,4 @@ In ZITADEL you can connect an Identity Provider (IdP) like {props.provider} to y
|
||||
Also, you can register the IdP to a specific organization only.
|
||||
If you allow so, your organizations members can do the same in self-service.
|
||||
</p>
|
||||
:::
|
||||
:::
|
@ -1,136 +0,0 @@
|
||||
---
|
||||
title: Configure AzureAD as Identity Provider
|
||||
sidebar_label: AzureAD OIDC (Deprecated)
|
||||
---
|
||||
|
||||
:::caution deprecated
|
||||
|
||||
This configuration is based on the generic OIDC configuration. You can use the [Azure AD Template](./azure-ad) instead.
|
||||
|
||||
:::
|
||||
|
||||
## AzureAD Tenant as Identity Provider for ZITADEL
|
||||
|
||||
This guides shows you how to connect an AzureAD Tenant to ZITADEL.
|
||||
|
||||
:::info
|
||||
In ZITADEL you can connect an Identity Provider (IdP) like an AzureAD to your instance and provide it as default to all organizations or you can register the IdP to a specific organization only. This can also be done through your customers in a self-service fashion.
|
||||
:::
|
||||
|
||||
### Prerequisite
|
||||
|
||||
You need to have access to an AzureAD Tenant. If you do not yet have one follow [this guide from Microsoft](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) to create one for free.
|
||||
|
||||
### AzureAD Configuration
|
||||
|
||||
#### Create a new Application
|
||||
|
||||
Browse to the [App registration menus create dialog](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/quickStartType~/null/isMSAApp~/false) to create a new app.
|
||||
|
||||
![Create an Application](/img/guides/azure_app_register.png)
|
||||
|
||||
:::info
|
||||
Make sure to select `web` as application type in the `Redirect URI (optional)` section.
|
||||
You can leave the second field empty since we will change this in the next step.
|
||||
:::
|
||||
|
||||
![Create an Application](/img/guides/azure_app.png)
|
||||
|
||||
#### Configure Redirect URIS
|
||||
|
||||
For this to work you need to whitelist the redirect URIs from your ZITADEL Instance.
|
||||
In this example our test instance has the domain `test-qcon0h.zitadel.cloud`. In this case we need to whitelist these two entries:
|
||||
|
||||
- `https://test-qcon0h.zitadel.cloud/ui/login/login/externalidp/callback`
|
||||
|
||||
:::info
|
||||
To adapt this for you setup just replace the domain
|
||||
:::
|
||||
|
||||
![Configure Redirect URIS](/img/guides/azure_app_redirects.png)
|
||||
|
||||
#### Create Client Secret
|
||||
|
||||
To allow your ZITADEL to communicate with the AzureAD you need to create a Secret
|
||||
|
||||
![Create Client Secret](/img/guides/azure_app_secrets.png)
|
||||
|
||||
:::info
|
||||
Please save this for the later configuration of ZITADEL
|
||||
:::
|
||||
|
||||
#### Configure ID Token Claims
|
||||
|
||||
![Configure ID Token Claims](/img/guides/azure_app_token.png)
|
||||
|
||||
### ZITADEL Configuration
|
||||
|
||||
#### Create IdP
|
||||
|
||||
Use the values displayed on the AzureAD Application page in your ZITADEL IdP Settings.
|
||||
|
||||
- You need to extract the `issuer` of your AzureAD Tenant from the OpenID configuration (`OpenID Connect metadata document`) in the `Endpoints submenu`. It should be your tenant's domain appended with `/v2.0`
|
||||
- The `Client ID` of ZITADEL corresponds to the `Application (client) ID` in the Overview page
|
||||
- The `Client Secret` was generated during the `Create Client Secret` step
|
||||
- Add `https://graph.microsoft.com/User.Read` to the scopes list to let personal Azure accounts register themselves
|
||||
|
||||
![Azure Application](/img/guides/azure_app.png)
|
||||
|
||||
![Create IdP](/img/guides/azure_zitadel_settings.png)
|
||||
|
||||
#### Activate IdP
|
||||
|
||||
Once you created the IdP you need to activate it, to make it usable for your users.
|
||||
|
||||
![Activate the AzureAD](/img/guides/azure_zitadel_activate.png)
|
||||
|
||||
![Active AzureAD](/img/guides/azure_zitadel_active.png)
|
||||
|
||||
#### Disable 2-Factor prompt
|
||||
|
||||
If a user has no 2-factor configured, ZITADEL does ask on a regularly basis, if the user likes to add a new 2-factor for more security.
|
||||
If you don't want your users to get this prompt when using Azure, you have to disable this feature.
|
||||
|
||||
1. Go to the login behaviour settings of your instance or organization, depending if you like to disable it for all or just a specific organization respectively
|
||||
2. Set "Multi-factor init lifetimes" to 0
|
||||
|
||||
![img.png](/img/guides/login_lifetimes.png)
|
||||
|
||||
#### Create user with verified email
|
||||
|
||||
Azure AD does not send the "email verified claim" in its token.
|
||||
Due to that the user will get an email verification mail to verify his email address.
|
||||
|
||||
To create the user with a verified email address you must add an action.
|
||||
|
||||
1. Go to the actions of your organization
|
||||
2. Create a new action with the following code to set the email to verified automatically
|
||||
3. Make sure the action name matches the function in the action itself e.g: "setEmailVerified"
|
||||
|
||||
```js reference
|
||||
https://github.com/zitadel/actions/blob/main/examples/verify_email.js
|
||||
```
|
||||
|
||||
![img.png](/img/guides/action_email_verify.png)
|
||||
|
||||
3. Add the action "email verify" to the flow "external authentication" and to the trigger "pre creation"
|
||||
|
||||
![img.png](/img/guides/action_pre_creation_email_verify.png)
|
||||
|
||||
#### Automatically redirect to Azure AD
|
||||
|
||||
If you like to get automatically redirected to your Azure AD login instead of showing the ZITADEL login with the Username/Password and a button "Login with AzureAD" you have to do the following steps:
|
||||
|
||||
1. Go to the login behaviour settings of your instance or organization
|
||||
2. Disable login with username and password
|
||||
3. Make sure you have only configured AzureAD as external identity provider
|
||||
4. If you did all your settings on the organization level make sure to send the organization scope in your authorization request: [scope](/apis/openidoauth/scopes#reserved-scopes)
|
||||
|
||||
### Test the setup
|
||||
|
||||
To test the setup use incognito mode and browse to your login page.
|
||||
If you succeeded you should see a new button which should redirect you to your AzureAD Tenant.
|
||||
|
||||
![AzureAD Button](/img/guides/azure_zitadel_button.png)
|
||||
|
||||
![AzureAD Login](/img/guides/azure_login.png)
|
@ -1,75 +0,0 @@
|
||||
---
|
||||
title: Configure Google as Identity Provider
|
||||
sidebar_label: Google OIDC (Deprecated)
|
||||
---
|
||||
|
||||
:::caution deprecated
|
||||
|
||||
This configuration is based on the generic OIDC configuration. You can use the [Google Template](./google) instead.
|
||||
|
||||
:::
|
||||
|
||||
## Register an external identity provider
|
||||
|
||||
In this step we will add a new Google identity provider to federate identities with ZITADEL.
|
||||
|
||||
### 1. Create new OIDC Client
|
||||
|
||||
1. Register an OIDC Client in your preferred provider
|
||||
2. Make sure you add the ZITADEL callback redirect uris
|
||||
- {your-domain}/ui/login/login/externalidp/callback
|
||||
|
||||
> **Information:** Make sure the provider is OIDC 1.0 compliant with a proper Discovery Endpoint
|
||||
|
||||
Google Example:
|
||||
|
||||
1. Go to the Google Cloud Platform and choose your project: <https://console.cloud.google.com/apis/credentials>
|
||||
2. Click on "+ CREATE CREDENTIALS" and choose "OAuth client ID"
|
||||
3. Choose Web application as Application type and give a name
|
||||
4. Add the redirect uris
|
||||
- {your-domain}/ui/login/register/externalidp/callback
|
||||
- {your-domain}/ui/login/login/externalidp/callback
|
||||
5. Save clientid and client secret
|
||||
|
||||
![Add new oAuth credentials in Google Console](/img/google_add_credentials.gif)
|
||||
|
||||
### 2. Add custom login policy
|
||||
|
||||
The login policy can be configured on two levels. Once as default on the instance and this can be overwritten for each organization.
|
||||
This case describes how to change it on the organization.
|
||||
|
||||
1. Go to your organization settings by clicking on "Organization" in the menu
|
||||
2. Modify your login policy in the menu "Login Behavior and Security"
|
||||
|
||||
![Add custom login policy](/img/console_org_custom_login_policy.gif)
|
||||
|
||||
### 3. Configure new identity provider
|
||||
|
||||
1. Go to the settings of your instance or a specific organization (depending on where you need the identity provider)
|
||||
2. Go to the identity providers section and click "New"
|
||||
3. Select "OIDC Configuration" and fill out the form
|
||||
- Use the issuer, clientid and client secret provided by your provider (Google Issuer: https://accounts.google.com)
|
||||
- The scopes will be prefilled with openid, profile and email, because this information is relevant for ZITADEL
|
||||
- You can choose what fields you like to map as the display name and as username. The fields you can choose are preferred_username and email
|
||||
(Example: For Google you should choose email for both fields)
|
||||
4. Save your configuration
|
||||
5. You will now see the created configuration in the list. Click on the activate icon at the end of the row you can see when hovering over the row, to activate it in the login flow.
|
||||
|
||||
![Configure identity provider](/img/console_org_identity_provider.gif)
|
||||
|
||||
### 4. Send the primary domain scope on the authorization request
|
||||
|
||||
ZITADEL will show a set of identity providers by default. This configuration can be changed by users with the [manager role](/guides/manage/console/managers#roles) `IAM_OWNER`.
|
||||
|
||||
An organization's login settings will be shown
|
||||
|
||||
- as soon as the user has entered the loginname and ZITADEL can identify to which organization he belongs; or
|
||||
- by sending a primary domain scope.
|
||||
To get your own configuration you will have to send the [primary domain scope](/apis/openidoauth/scopes#reserved-scopes) in your [authorization request](/guides/integrate/login-users#auth-request) .
|
||||
The primary domain scope will restrict the login to your organization, so only users of your own organization will be able to login, also your branding and policies will trigger.
|
||||
|
||||
:::note
|
||||
You need to create your own auth request with your applications parameters. Please see the docs to construct an [Auth Request](/guides/integrate/login-users#auth-request).
|
||||
:::
|
||||
|
||||
Your user will now be able to choose Google for login instead of username/password or mfa.
|
67
docs/docs/guides/integrate/identity-providers/okta.mdx
Normal file
67
docs/docs/guides/integrate/identity-providers/okta.mdx
Normal file
@ -0,0 +1,67 @@
|
||||
---
|
||||
title: Configure OKTA as Identity Provider
|
||||
sidebar_label: OKTA generic OIDC
|
||||
id: okta
|
||||
---
|
||||
|
||||
import GeneralConfigDescription from './_general_config_description.mdx';
|
||||
import Intro from './_intro.mdx';
|
||||
import CustomLoginPolicy from './_custom_login_policy.mdx';
|
||||
import IDPsOverview from './_idps_overview.mdx';
|
||||
import GenericOIDC from './_generic_oidc.mdx';
|
||||
import Activate from './_activate.mdx';
|
||||
import TestSetup from './_test_setup.mdx';
|
||||
|
||||
<Intro provider="OKTA"/>
|
||||
|
||||
## OKTA Configuration
|
||||
|
||||
### Register a new client
|
||||
|
||||
1. Login to your OKTA Account and go to the applications list: <OKTA-DOMAIN/admin/apps/active>
|
||||
2. Click on "Create App Integration" and choose "OIDC - OpenID Connect"
|
||||
3. Choose Web application as Application type and give a name
|
||||
4. Add the Sign-in redirect uris
|
||||
- {your-domain}/ui/login/login/externalidp/callback
|
||||
- Example redirect url for the domain `https://acme-gzoe4x.zitadel.cloud` would look like this: `https://acme-gzoe4x.zitadel.cloud/ui/login/login/externalidp/callback`
|
||||
5. Save clientid and client secret
|
||||
|
||||
![Add new OIDC Application in OKTA](/img/guides/okta_add_app.png)
|
||||
|
||||
## ZITADEL Configuration
|
||||
|
||||
### Add custom login policy
|
||||
|
||||
<CustomLoginPolicy/>
|
||||
|
||||
### Go to the IdP Providers Overview
|
||||
|
||||
<IDPsOverview templates="Generic OIDC"/>
|
||||
|
||||
### Create a new Generic OIDC Provider
|
||||
|
||||
<GenericOIDC
|
||||
name=": e.g. OKTA"
|
||||
issuer=": The domain of your OKTA account, Example: https://trial-1925566.okta.com"
|
||||
clientid=": Client id from the application previously created in your OKTA account"
|
||||
/>
|
||||
|
||||
|
||||
<GeneralConfigDescription provider_account="OKTA account" />
|
||||
|
||||
![OKTA Provider](/img/guides/zitadel_okta_create_provider.png)
|
||||
|
||||
### Activate IdP
|
||||
|
||||
<Activate/>
|
||||
|
||||
![Activate the OKTA Provider](/img/guides/zitadel_activate_okta.png)
|
||||
|
||||
## Test the setup
|
||||
|
||||
<TestSetup loginscreen="your OKTA login"/>
|
||||
|
||||
<!-- TODO: Image highlights GitHub -->
|
||||
![OKTA Button](/img/guides/zitadel_login_okta.png)
|
||||
|
||||
![OKTA Login](/img/guides/okta_login.png)
|
@ -242,8 +242,7 @@ module.exports = {
|
||||
"guides/integrate/identity-providers/ldap",
|
||||
"guides/integrate/identity-providers/openldap",
|
||||
"guides/integrate/identity-providers/migrate",
|
||||
"guides/integrate/identity-providers/google-oidc",
|
||||
"guides/integrate/identity-providers/azuread-oidc",
|
||||
"guides/integrate/identity-providers/okta",
|
||||
],
|
||||
},
|
||||
{
|
||||
|
BIN
docs/static/img/guides/okta_add_app.png
vendored
Normal file
BIN
docs/static/img/guides/okta_add_app.png
vendored
Normal file
Binary file not shown.
After Width: | Height: | Size: 336 KiB |
BIN
docs/static/img/guides/okta_login.png
vendored
Normal file
BIN
docs/static/img/guides/okta_login.png
vendored
Normal file
Binary file not shown.
After Width: | Height: | Size: 205 KiB |
BIN
docs/static/img/guides/zitadel_activate_okta.png
vendored
Normal file
BIN
docs/static/img/guides/zitadel_activate_okta.png
vendored
Normal file
Binary file not shown.
After Width: | Height: | Size: 189 KiB |
BIN
docs/static/img/guides/zitadel_login_okta.png
vendored
Normal file
BIN
docs/static/img/guides/zitadel_login_okta.png
vendored
Normal file
Binary file not shown.
After Width: | Height: | Size: 138 KiB |
BIN
docs/static/img/guides/zitadel_okta_create_provider.png
vendored
Normal file
BIN
docs/static/img/guides/zitadel_okta_create_provider.png
vendored
Normal file
Binary file not shown.
After Width: | Height: | Size: 469 KiB |
Loading…
x
Reference in New Issue
Block a user