Pachyderm Docs: Okta

If Okta® access management software is your preferred choice of IdP, you can configure Pachyderm to use Okta as an OpenID Connect (OIDC) identity provider using the following steps.

ℹ️

Before you can configure Pachyderm to work with Okta, log in or create an account at https://www.okta.com/login/.

Register Pachyderm with Okta #

For more detailed step by step instructions, follow this documentation.

Sign in to your Okta organization with your administrator account.
From the Admin Console side navigation, click Applications > Applications.
Click Add Application.
Click Create New App (or search for your existing app).
Select Platform: Web and sign-on method OpenID Connect.
Click Create.
Type the name of your application, such as Pachyderm.
Add the following Login redirect URI.
```
http://<ip>:30658/callback
```
Note: Your port number should be whatever is routing to the Identity Service:658.
The IP address is the address of your Pachyderm host. For example, if you are running Pachyderm in Minikube, you can find the IP address by running minikube ip.
Click Save
Click Edit to change the General Settings pane. In the Allowed grant types section, enable Authorization Code and Refresh Token.
Click Save
On the Assignments tab, click Assign to assign the app integration to any user or group in your org. Click Done when the assignments are complete.

Set up an create an Idp-Pachyderm connector #

After you have configured a Pachyderm application in Okta, you need to create an OIDC connector config file with the Okta parameters. All the required parameters, such as client_id, client_secret, and others, are located on the App General tab.

To configure Pachyderm Auth, complete the following steps:

Go to the terminal and forward the pachd pod to the OIDC port:

Get the pachd pod ID:

kubectl get pod

Example system response:

pachd-79f7f68c65-9qs8g      1/1     Running   0          4h2m
...

Forward the pachd pod to the OIDC port:

Example:

kubectl port-forward pachd-79f7f68c65-9qs8g 30657

Enable Pachyderm authentication:
```
pachctl auth activate --initial-admin=robot:admin
```
Pachyderm returns a token.
WARNING! You must save the token to a secure location to avoid being locked out of your cluster.
Log in as the admin user with the token you received in the previous step:
```
pachctl auth use-auth-token
```
Set up the authentication config:
```
pachctl auth set-config <<EOF
  {
  "live_config_version": 2,
  "id_providers": [{
  "name": "okta",
  "description": "oidc-based authentication with Okta",
  "oidc":{
  "issuer": "https://",
  "client_id": "",
  "client_secret": "",
  "redirect_uri": "your redirect URI",
  ignore_email_verified: true
  }
  }]
  }
  EOF
```
You need to replace the following placeholders with relevant values:
- issuer — The domain of your application in Okta. For example, {yourOktaDomain}/. Note the trailing slash.
- client_id — The Pachyderm Client ID in Okta.
- client_secret - The Pachyderm client secret in Okta.
- redirect_uri - This parameter should match what you have added to redirect URI in the previous step.
Log in as the user you have created in the Pachyderm application or sign in with Google:
1. Run:
```
pachctl auth login
```
  You should be prompted to a web-browser. Log in as the user you have previously created in Okta or sign in with Google.
You should see the following message printed out in your browser:
```
You are now logged in. Go back to the terminal to use Pachyderm!
```

In the terminal, check that you are logged in as the Okta user:

pachctl auth whoami

Example of System Response:

You are "okta:test@pachyderm.com"
session expires: 07 Aug 20 14:04 PDT