A Magda Authentication Plugin for Okta.
Requires MAGDA version 0.0.58 or above.
- Add the auth plugin as a Helm Chart Dependency
- name: magda-auth-okta
version: 1.1.0
repository: https://charts.magda.io
tags:
- all
- magda-auth-okta- Config the auth plugin with Okta client Id & domain
magda-auth-okta:
domain: dev-xxxxxx.okta.com
clientId: "xxxxxxxx"- Config Gatway to add the auth plugin to Gateway's plugin list (More details see here)
gateway:
authPlugins:
- key: okta
baseUrl: http://magda-auth-okta-
Make sure
oauth-secretssecret has the correct value forokta-client-secretkey -
Identity provider setup:
Login return uri: https://[Magda External Access Domain]/auth/login/plugin/okta/return Logout return uri: https://[Magda External Access Domain]/auth/login/plugin/okta/logout/return
Kubernetes: >= 1.14.0-0
| Repository | Name | Version |
|---|---|---|
| https://charts.magda.io | magda-common | 1.0.0 |
| Key | Type | Default | Description |
|---|---|---|---|
| authPluginConfig.authenticationMethod | string | "IDP-URI-REDIRECTION" |
The authentication method of the plugin. Support values are:
|
| authPluginConfig.explicitLogout | bool | true |
whether explicitly logout okta session when user is logged out from Magda |
| authPluginConfig.iconUrl | string | "/icon.svg" |
the display icon URL of the auth plugin. |
| authPluginConfig.key | string | "okta" |
the unique key of the auth plugin. Allowed characters: [a-zA-Z0-9-] |
| authPluginConfig.loginFormExtraInfoContent | string | "" |
Optional; Only applicable when authenticationMethod = "PASSWORD". If present, will displayed the content underneath the login form to provide extra info to users. e.g. how to reset password Can support content in markdown format. |
| authPluginConfig.loginFormExtraInfoHeading | string | "" |
Optional; Only applicable when authenticationMethod = "PASSWORD". If present, will displayed the heading underneath the login form to provide extra info to users. e.g. how to reset password |
| authPluginConfig.loginFormPasswordFieldLabel | string | "Password" | Optional; Only applicable when authenticationMethod = "PASSWORD". |
| authPluginConfig.loginFormUsernameFieldLabel | string | "Username" | Optional; Only applicable when authenticationMethod = "PASSWORD". |
| authPluginConfig.name | string | "Okta" |
the display name of the auth plugin. |
| authPluginConfig.qrCodeAuthResultPollUrl | string | "" |
Only applicable & compulsory when authenticationMethod = "QR-CODE". The url that is used by frontend to poll the authentication processing result. See Authentication Plugin Specification for more details |
| authPluginConfig.qrCodeExtraInfoContent | string | "" |
Only applicable & compulsory when authenticationMethod = "QR-CODE". If present, will displayed the content underneath the login form to provide extra info to users. e.g. how to download moile app to scan the QR Code. Can support content in markdown format. |
| authPluginConfig.qrCodeExtraInfoHeading | string | "" |
Only applicable & compulsory when authenticationMethod = "QR-CODE". If present, will displayed the heading underneath the QR Code image to provide extra instruction to users. e.g. how to download moile app to scan the QR Code |
| authPluginConfig.qrCodeImgDataRequestUrl | string | "" |
Only applicable & compulsory when authenticationMethod = "QR-CODE". The url that is used by frontend client to request auth challenge data from the authentication plugin. See Authentication Plugin Specification for more details |
| authPluginRedirectUrl | string | nil |
the redirection url after the whole authentication process is completed. Authentication Plugins will use this value as default. The following query paramaters can be used to supply the authentication result:
global.authPluginRedirectUrl. Unless you want to have a different value only for this auth plugin, you shouldn't set this value. |
| autoscaler.enabled | bool | false |
turn on the autoscaler or not |
| autoscaler.maxReplicas | int | 3 |
|
| autoscaler.minReplicas | int | 1 |
|
| autoscaler.targetCPUUtilizationPercentage | int | 80 |
|
| clientId | string | nil |
okta clientId |
| defaultAdminUserId | string | "00000000-0000-4000-8000-000000000000" |
which system account we used to talk to auth api The value of this field will only be used when global.defaultAdminUserId has no value |
| defaultImage.imagePullSecret | bool | false |
|
| defaultImage.pullPolicy | string | "IfNotPresent" |
|
| defaultImage.repository | string | "docker.io/data61" |
|
| domain | string | nil |
okta domain. Used to generate issuer url (i.e. https://{yourOktaDomain}/oauth2/default). You can skip this field and provide value for issuer field directly instead. |
| global | object | {"authPluginRedirectUrl":"/sign-in-redirect","externalUrl":"","image":{},"rollingUpdate":{}} |
only for providing appropriate default value for helm lint |
| image.name | string | "magda-auth-okta" |
|
| issuer | string | nil |
okta issuer url. When okta domain is provided, the issuer value can be omitted and will be default to "https://{yourOktaDomain}/oauth2/default" |
| maxClockSkew | string | nil |
Okat openid client clock skew tolerance (in seconds). Default to 120 if not provided |
| replicas | int | 1 |
no. of initial replicas |
| resources.limits.cpu | string | "50m" |
|
| resources.requests.cpu | string | "10m" |
|
| resources.requests.memory | string | "30Mi" |
|
| scope | string | nil |
okta openid access token scope. Default to openid profile email if not provided. More see: https://developer.okta.com/docs/reference/api/oidc/#scopes |
| timeout | string | nil |
Okat openid client HTTP request timeout (in milseconds). Default to 10000 if not provided. |