The following article exclusively pertains to a Graylog Operations feature or functionality. To learn more about obtaining an Operations license, please contact the Graylog Sales team.

Graylog provides Okta single sign-on (SSO) for your organization. In addition to Active Directory and LDAP, Graylog administrators can synchronize Okta group members to teams in Graylog. If you are using Okta and have already authenticated yourself on the external Okta site, Graylog can use the same session and will not prompt you to re-authenticate if you enable third-party cookies in your browser.

Getting Started

To start the Graylog connection, create the OIDC application that you want to authenticate on Graylog. To make sure both the Okta developer console and the Graylog UI are accessible, perform the following steps.

Graylog UI Server

  1. Log into Graylog.
  2. Navigate to the Authentication submenu in System.
  3. Select Okta from the dropdown, found on the Create "New Authentication Service" menu.
  4. Click the Get Started button, which takes you to a form required to configure the Okta service.
  5. Fill out the form with corresponding values, which helps you create the service:
Field Name Entry
Title Name the service.
Description (Optional) add a description.
Okta Base URL Add the root URL of the Okta client, e.g. https://<your-subdomain>.okta.com
(Issuer URL of the Okta application)
Callback URL Enter the Graylog URL that Okta redirects back to after authentication. It could be the base URL of your Graylog environment or a custom server configured for Okta sessions.
  1. Navigate to the Okta console to configure the application(s) you want to use to authenticate Graylog via Okta.

Okta Developer Console

  1. Log into your Okta admin dashboard.
  2. Click on Applications under "Applications" on the left menu
  3. Click on Create App Integration; this prompts you to a modal called Create a new app integration.
  4. Select the OIDC - OpenID Connect radio button from the modal.
  5. Select Web Application and click Next.
  6. Enter a name in the App Integration Name field on the New Web App Integration form.
  7. Ensure that the following are selected:
    • Client Credentials
    • Authorization Code
    • Refresh Token
  8. Add your callback URL (obtained from Graylog during the authentication service) to the Sign-in redirect URIs.
  9. Under assignments, ensure that you select the appropriate access, i.e. the Allow everyone in your organization radio button.
  10. Click Save to return to the "Applications" page.
  11. Save the Client ID and Client secret (these values are needed to complete the Okta authentication form in Graylog).

Graylog UI Server Configuration

  1. Navigate to the Create Okta Authentication Service form.
  2. Finish the Server Configuration form:
Field Name Entry / Action
OAuth Client ID Pass the secret value from the Applications section (Okta).
OAuth Client Secret Enter the password associated with this Client ID from the Applications section (Okta).
Token Verifier Connect Timeout Determine the time interval in seconds until connection resets.
Default Roles Determine the roles you want to delegate through this third party Okta session.
  1. Click Test Server Connection to validate the configuration.

Group Synchronization

In this section, you need access to Okta and the Graylog UI.

Okta Console

  1. Navigate to the Okta dashboard.
  2. Click API under Security in the left menu.
  3. Click the Token tab.
  4. Click the Create Token button to generate the Create Token modal.
  5. Enter a name in the field What do you want your token to be named?
  6. Click the Create Token button to generate the token string (Token Value).
  7. Click the copy/paste button or save the token string for the Graylog Group Synchronization tab.

Graylog UI

On the Group Synchronization tab, perform the following:

  1. Click Next: Group Synchronization, which takes you to the next tab: Group Synchronization (optional).
  2. Check the Synchronize Groups box to Enable Group Synchronization.
  3. Copy the token string into the Okta API Token field.
  4. Click the Load matching groups button. This will port the full list of group members from Okta.
  5. Select from either All groups, Include selected, Exclude selected in Select groups to import. This depends on the members chosen or excluded from the imported groups mentioned in Step 4.
  6. Click the Finish & Save Service button to complete the configuration steps. This takes you to the All Authentication Services pane.
  7. Click Activate the start the new authentication service you configured in this guide.

The Result

A new log-in page appears when you log out to start a new session with Okta in place. To get to this screen:

  1. Log out of Graylog. A login page with the text "Login with default method" appears.
  2. Log back into Graylog with your Okta credentials to authenticate as a new delegated Okta group member.