Integrating Okta into SD-WAN Orchestrator for Single Sign-On (SSO) with Different User Types
In this article, we will explore how to integrate Okta into the VMware SD-WAN Orchestrator for single sign-on (SSO) with different user types. We will go over the steps to set up SSO authentication in the SD-WAN Orchestrator and how to use groups claim filters to assign different roles to users based on their Okta group membership.
Step 1: Create a New Application in Okta
To start, we need to create a new application in Okta. Select OIDC – OpenID Connect as the sign-in method and Web Application as the application type. Click Next to continue. In the General Settings section, enter a name for your application and select Refresh Token for the grant type. In the Sign-in redirect URIs text box, enter the redirect URL that your SD-WAN Orchestrator application uses as the callback endpoint. You can find this one in the Global Settings, Authentication menu in your SD-WAN Orchestrator.
Step 2: Note Down Client Credentials (Client ID and Client Secret)
Next, we need to note down the Client Credentials (Client ID and Client Secret) to be used during the SSO configuration in SD-WAN Orchestrator. These credentials can be found in the Okta application you just created.
Step 3: Configure a Groups Claim Filter
Since we don’t want every user to get enterprise super admin rights, we will configure a groups claim filter. To do this, click the Sign On tab and under the OpenID Connect ID Token area, click Edit. In this setup, I am using a basic filter, but this can be adapted to the respective use cases and needs.
Step 4: Assign Groups to SD-WAN Orchestrator Application
Now we need to assign groups to our SD-WAN Orchestrator application. On the Assignments tab, from the Assign drop-down menu, select Assign to Groups or Assign to People. In my example, I have already created two Okta groups.
Step 5: Configure SD-WAN Orchestrator for SSO Authentication
We need to log in as enterprise super user with our credentials, click on the Global Settings menu in the Drop-down Menu, and then select Enterprise Settings and set up a domain name for your enterprise. This is important before enabling SSO authentication for the SD-WAN Orchestrator!
Step 6: Configure SSO Authentication for SD-WAN Orchestrator
Within the User Management menu, click on the Authentication tab, and then from the Authentication Mode drop-down menu, select Single Sign-On. From the Identity Provider Template, we select Okta. In the OIDC well-known config URL text box, enter the OpenID Connect (OIDC) configuration URL for our Okta tenant. For example, https://{your-okta-url}/.well-known/openid-configuration.
Step 7: Update and Test SSO Configuration
The SD-WAN Orchestrator application auto-populates endpoint details such as Issuer, Authorization Endpoint, Token Endpoint, and User Information Endpoint. In the Client Id and Client Secret text box, enter the client identifier provided by your Okta tenant. To determine user’s role in SD-WAN Orchestrator we will use the Use Identity Provider Roles so our groups created in Okta. Remember that we’ve created the two groups superuser and readonly in the previous section in our Okta tenant.
Step 8: Test SSO Configuration
Finally, we will update and test our configuration via this button here. You will be redirected to Okta and need to log in with your user. If everything is configured properly, you should see the following successful SSO Configuration Test message.
Real Life Example
Now let’s have a look at how this is looking like in real life. If our users are logging in with administrative rights we can configure based on Okta authentications policies and its rules additional factors for authentication. In this video, we are leveraging Okta Verify as a second factor. Within the SD-WAN Orchestrator, we can now see which users have logged in Δ.
Conclusion
In this article, we have seen how to integrate Okta into the VMware SD-WAN Orchestrator for single sign-on (SSO) with different user types. We have gone over the steps to set up SSO authentication in the SD-WAN Orchestrator and how to use groups claim Filters to assign different roles to users based on their Okta group membership. By following these steps, you can ensure secure and seamless access to your SD-WAN Orchestrator for your users.