On-Prem Okta Authentication with Group Sync
  • 12 Jul 2022
  • 3 Minutes to read
  • Dark

On-Prem Okta Authentication with Group Sync

  • Dark


Graylog provides Okta single sign-on (SSO) for your organization. In addition to Active Directory and LDAP, Graylog administrators can synchronize Okta group members to teams in Graylog. If you are using Okta and have already authenticated yourself on the external Okta site, Graylog can use the same session and will not prompt you to re-authenticate. However, this requires the use of third-party cookies, which are typically disabled in modern browsers. Be sure to enable third-party cookies in your browser settings to avoid re-authentication.

Getting Started

In order to start the Graylog connection, you need to create the OIDC application that you want to authenticate on Graylog. Make sure both the Okta developer console and the Graylog UI are accessible. Perform the following steps.

Graylog UI Server

  1. Login to Graylog.
  2. Navigate to the Authentication submenu in System.
  3. Select Okta from the dropdown, found on the Create New Authentication Service menu.
  4. Click the Get Started button, which takes you to a form required to configure the Okta service.
  5. Fill out the form with corresponding values, which helps you create the service:
Field Name Entry
Title Name the service.
Description (Optional) Add a description.
Okta Base URL Add the root URL of the Okta client, e.g. https://<your-subdomain>.okta.com
Callback URL Enter your Graylog URL that Okta redirects back to after authentication. It could be the base URL of your Okta environment or a custom server configured for Okta sessions.
  1. Navigate to the Okta console to configure the application(s) you want to use to authenticate Graylog via Okta.

Okta developer console

  1. Log into your Okta admin dashboard.
  2. Click on Applications under Applications on the left menu
  3. Click on Create App Integration; this prompts you to a modal called Create a new app integration.
  4. Select the OIDC - OpenID Connect radio button from the modal
  5. Select Web Application and click Next.
  6. Enter a name in the App Integration Name field, on the New Web App Integration form.
  7. Ensure the following are selected:
    • Client Credentials
    • Authorization Code
    • Refresh Token
  8. Add your callback URL (obtained from Graylog when creating the authentication service).
  9. Under assignments, ensure that you select the appropriate access, i.e. the Allow everyone in your organization radio button.
  10. Click Save, to take you back to the Applications page.
  11. Save the Client ID and Client secret. (These values are needed to complete the Okta authentication form in Graylog.)

Graylog UI Server Configuration

  1. Navigate to the Create Okta Authentication Service form.
  2. Finish the Server Configuration form:
Field Name Entry / Action
OAuth Client ID Pass the secret value from the Applications section (Okta).
OAuth Client Secret Enter the password associated with this Client ID, from the Applications section (Okta).
Token Verifier Connect Timeout Determine the time interval in seconds, till connection reset.
Default Roles Determine the roles you want to delegate through this 3rd party Okta session.
  1. Click Test Server Connection to validate the configuration.

Group Synchronization

In this section, make sure you still have access to Okta and the Graylog UI.

Okta Console

  1. Navigate to the Okta dashboard.
  2. Click API under Security in the left menu.
  3. Click the Token tab.
  4. Click the Create Token button to generate the Create Token modal.
  5. Enter a name in the field What do you want your token to be named?.
  6. Click the Create Token button to generate the token string (Token Value).
  7. Click the copy/paste button or save the token string for the Graylog Group Synchronization tab.

**Graylog UI **

On the Group Synchronization tab, perform the following:

  1. Click Next: Group Synchronization, which takes you to the next tab: Group Synchronization (Optional).
  2. Check the Synchronize Groups box to Enable Group Synchronization.
  3. Copy the token string into the Okta API Token field.
  4. Click the Load matching groups button. This will port the full list of group members from Okta.
  5. Select from either All groups, Include selected, Exclude selected in Select groups to import. This depends on the members chosen (or excluded) from the imported groups mentioned in Step 4.
  6. Click the Finish & Save Service button to complete the configuration steps. This takes you to the All Authentication Services pane.
  7. Click Activate the start the new authentication service you configured in this guide.

The Result

A new log-in page appears when you log out to start a new session with Okta in place. To get to this screen:

  1. Log out of Graylog. You will notice a login page with the text Login with default method.
  2. Log back in to Graylog under you Okta credentials to authenticate as new delegated Okta group member.

Was this article helpful?

What's Next