Pachyderm Docs: Okta

Before You Start #

You must have the following enabled on your cluster:
- Enterprise
- TLS
You must have an Okta account
You should know the value of your proxy.host setting in your Helm values.yaml file

How to Enable Okta as an IdP #

1. Create an App on Okta #

Log in to Okta.
Navigate to Applications > Applications.
Select Create App Integration.
Choose the OIDC - OpenID Connect sign-in method.
Choose the Web Application application type.
Click Next.
Name the application, such as Pachyderm.
Navigate to General Settings > Grant Type and check the following:
- Authorization Code
- Refresh Token
Navigate to Sign-in Redirect URIs and input the following:
```
https://<your.proxy.host.value>/dex/callback
```
Navigate to Assignments and select your preferred Controlled Access policy.
Click Save.

2. Define Helm Config #

The following steps add the OIDC section to your Helm chart. When an upstream IdP is successfully added to the list, Pachyderm’s default MockIdP is disabled automatically. You can add multiple IdPs to upstreamIDPs.

Navigate to your values.yamls file or obtain your current Helm values.yaml overrides:
```
helm get values pachyderm > values.yaml
```
Add the following section:

Syntax:

{
  "oidc": {
    "upstreamIDPs": [
      {
        "type": "oidc",
        "id": "okta",
        "name": "Okta",
        "config": {
          "issuer": "https://trial-1839456.okta.com/",
          "clientID": "0oa74mh2scJf29qOD697",
          "clientSecret": "VNwbzOBltNcaotD2CU5iRyTuqOPpwLR-RC16ai7wakta95W00p7X5HYkEgS_5UWH",
          "redirectURI": "https://<proxy.host.value.com>/dex/callback",
          "insecureEnableGroups": true,
          "insecureSkipEmailVerified": true,
          "insecureSkipIssuerCallbackDomainCheck": false
        }
      }
    ]
  }
}

oidc:
  upstreamIDPs:
  - type: oidc
    id: okta
    name: Okta
    config:
        issuer: https://trial-1839456.okta.com/
        clientID: 0oa74mh2scJf29qOD697
        clientSecret: VNwbzOBltNcaotD2CU5iRyTuqOPpwLR-RC16ai7wakta95W00p7X5HYkEgS_5UWH
        redirectURI: https://<proxy.host.value.com>/dex/callback 
        insecureEnableGroups: true
        insecureSkipEmailVerified: true
        insecureSkipIssuerCallbackDomainCheck: false

ℹ️

Note that Pachyderm’s YAML format is a simplified version of Dex’s sample config.

Update the following attributes:

Field	Description
`issuer`	The Okta App’s domain URL, found under Sign On > OpenID Connect ID Token; must have `https://`.
`clientID`	The Okta App’s client ID, found under General > Client Credentials.
`clientSecret`	The Okta App’s client secret, found under General > Client Secrets.
`redirectURI`	A combination of your proxy host value and `/dex/callback`. For example, `https://console.pachdemo.com/dex/callback`.

Save your changes and upgrade your cluster:

helm upgrade pachyderm pachyderm/pachyderm -f values.yaml

💡

Alternatively, you can create a secret containing your dex connectors (Key: upstream-idps) and reference its name in the field oidc.upstreamIDPsSecretName.

The users registered with your IdP are now ready to Log in to Pachyderm

Troubleshooting #

PachD CrashLoopBackOff #

If you encounter a CrashLoopBackOff error after running the kubectl get pods command, it’s likely that one of the following needs to be fixed:

your issuer value is incorrect (sometimes it needs a trailing slash /, it should match exactly what you see in Okta).
you have an unexpected field such as version in the config section oidc.updstreamIDPs entry.

Example Error in PachD Pod logs

You can obtain your pod logs by running: kubectl logs <pachd-pod-name> > logs.txt

create connector with ID: "okta": unable to open connector: failed to get provider: oidc: issuer did not match the issuer returned by provider, expected "https://trial-1839456.okta.com/" got "https://trial-1839456.okta.com"

You may need to download the Okta Verify app on your mobile device and scan the QR code through the app log in.