Okta Authentication

Graylog provides Okta authentication as a possibility for single sign-on (SSO) for your organization. You can synchronize Okta group members to teams in Graylog. If you are using Okta and have already authenticated yourself on the external Okta site, Graylog can use the same session and will not prompt you to re-authenticate if you enable third-party cookies in your browser.

This article describes the steps to take to set up Okta authentication in Graylog, including group synchronization.

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • You must be a Graylog administrator to enable authentication with Okta.

  • You must have an Okta account and credentials.

Set Up Okta Authentication

The process for setting up authentication with Okta involves configuration both in the Graylog web interface and in your Okta admin dashboard. The basic steps are:

  1. Begin server configuration in the Graylog web interface.

  2. Complete the Okta connection in the Okta Admin Console.

  3. Complete server configuration in the Graylog web interface.

  4. (optional) Complete group synchronization in the Graylog web interface.

  5. Activate the new service in Graylog.

Each of these steps is described in detail below.

Begin Server Configuration

Complete these steps in the Graylog web interface.

  1. Navigate to System > Authentication.
  2. Click Create Service.
  3. Select Okta from the drop-down menu, then click Get Started.
  4. Fill out the following fields in the form:
    FieldDescription

    Title

    Name the service.

    Description

    (Optional) Add a description.

    Okta Base URL

    Add the root URL of the Okta client, for example: https://<your-subdomain>.okta.com
    (Issuer URL of the Okta application)

    Callback URL

    Enter the Graylog URL that Okta redirects back to after authentication. It could be the base URL of your Graylog environment or a custom server configured for Okta sessions.

    You need to enter this information in the next section as well.

Okta Configuration

The following steps must be completed in your Okta Admin Console.

  1. Log in to your Okta admin dashboard.
  2. Click Applications under Applications in the left menu
  3. Click Create App Integration, which opens the Create a new app integration dialog.
  4. Select OIDC - OpenID Connect.
  5. Select Web Application, then click Next.
  6. Enter a name in the App Integration Name field on the New Web App Integration form.
  7. Ensure that the following options are selected:
    • Client Credentials
    • Authorization Code
    • Refresh Token
  8. Add your callback URL to the Sign-in redirect URIs. This information is obtained from Graylog during the authentication service setup in the previous section.
  9. Under assignments, select Allow everyone in your organization to ensure the appropriate level of access.
  10. Click Save to return to the Applications page.
  11. Save the Client ID and Client secret. You need these values to complete the Okta authentication form in Graylog in the next section.

Graylog UI Server Configuration

You complete the following steps back in the Graylog web interface.

  1. Return to the Create Okta Authentication Service form.
  2. Finish the Server Configuration form:
    FieldDescription
    OAuth Client IDEnter the secret value from the Applications section in Okta.
    OAuth Client SecretEnter the password associated with this Client ID from the Applications section (Okta).
    Token Verifier Connect TimeoutDetermine the time interval in seconds until connection resets. We recommend the default value of 10 for this field.
    Default Roles

    Set the Graylog user roles you want to delegate through this synchronization. Any roles you include are assigned to all synchronized users.

    The default role populates as Reader, which is the basic level of access needed for most Graylog users and is therefore the recommended selection.

  1. Click Test Server Connection to validate the configuration. This test allows Graylog to perform a basic consistency and connectivity check of the configuration. Any errors detected are noted in the UI and must be resolved in order to proceed.
  2. Click Finish & Save Service to complete the configuration steps and return to the All Authentication Services page. Or, optionally, click Next: Group Synchronization if you intend to use the groups feature.

Group Synchronization

In addition to individual users, Okta integration can be used to synchronize Okta groups to Graylog teams. To set up this synchronization, you need access to both Okta and the Graylog web interface.

Okta Configuration for Groups

The first part of group configuration is completed in your Okta Admin Console.

  1. Navigate to the Okta dashboard.
  2. Click API under Security in the left menu.
  3. Click the Token tab.
  4. Click the Create Token button to open the Create Token dialog.
  5. Enter a name in the field What do you want your token to be named?.
  6. Click Create Token to generate the token string (Token Value).
  7. Click the copy/paste button or save the token string. You need to enter this string into Graylog in the next section.

Graylog Group Synchronization

These remaining steps are completed in the Graylog web interface, and continue from the previous server configuration steps above.

On the Group Synchronization tab:

  1. Select the Synchronize Groups check box to enable group synchronization.
  2. Paste the token string into the Okta API Token field.
  3. Click Load matching groups to view the full list of group members from Okta.
  4. Choose the Selection type:
    • All groups: Imports all groups matched in the previous step.
    • Include selected: Imports only groups selected in the list returned in the previous step.
    • Exclude selected Imports only groups not selected in the list returned in the previous step.
  5. Click Finish & Save Service to complete the configuration steps and return to the All Authentication Services page.

Activation and Sign On

After you configure the service, activate your current service provider to enable the authentication protocol.

  1. Click the Authentication Services tab to return to the All Authentication Services page.

  2. Click Activate in the Actions column for the service you want to activate.

If you change service providers or need to update your settings, be sure to activate the new service from this menu.

Warning: Only one authentication service can be activated at a time for each Graylog instance.

OIDC_Image_2

After you set up your identity provider authentication with Graylog, a new log-in page appears when you log out to start a new Graylog session. To get to this screen:

  1. Log out of Graylog. A login page with the text "Login with default method" appears.
  2. Log in to Graylog with your identity provider credentials to authenticate as a new delegated group member.

Hint: If you experience any issues with your identity provider preventing login, remember that you can select Login with default method to log in to Graylog with your default administrator credentials.

Troubleshooting and Common Issues

The following section outlines troubleshooting steps for common issues to assist you in resolving potential challenges you may encounter.

Issue: Title Issue

[Write a brief description that helps readers identify this issue.]

Solution: Title Solution

[Provide guidance to resolve the issue, which may include troubleshooting steps, tips for prevention, or methods for quick resolution. This guidance can be granular or general depending on how easily the issue may be resolved.]

Another Issue: Title Issue

[Describe another potential issue.]

Another Solution: Title Solution

[Provide guidance to resolve the issue, which may include troubleshooting steps, tips for prevention, or methods for quick resolution. This guidance can be granular or general depending on how easily the issue may be resolved.]

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics:

[LEAVE BLANK.]