Okta Integration
Okta is an enterprise-grade identity and access management platform that provides secure authentication and authorization services. This guide walks you through setting up Okta as your Identity Provider with the Tailor Platform Auth service.
Prerequisites
- An active Okta account with admin privileges
- A Tailor Platform workspace with Auth service enabled
- Basic understanding of OIDC or SAML protocols
Setting up Okta for OIDC
Step 1: Create an Application in Okta
- Log in to your Okta Admin Console
- Navigate to Applications > Applications
- Click Create App Integration
- Select OIDC - OpenID Connect as the sign-in method
- Choose Web Application as the application type
- Click Next
Step 2: Configure Application Settings
Configure your application with the following settings:
- App integration name: Your application name (e.g., "Tailor Platform App")
- Grant type: Select Authorization Code
- Sign-in redirect URIs: Add your callback URL
https://{your-app-domain}/oauth2/callback - Sign-out redirect URIs: Add your logout URL (optional)
- Assignments: Choose who can access this application
Step 3: Get Application Credentials
After creating the application, note down:
- Client ID: Found in the application's General tab
- Client Secret: Found in the application's General tab
- Okta Domain: Your Okta organization URL (e.g.,
https://dev-12345.okta.com)
Setting up Okta for SAML
Step 1: Create a SAML Application
- In Okta Admin Console, go to Applications > Applications
- Click Create App Integration
- Select SAML 2.0 as the sign-in method
- Click Next
Step 2: Configure SAML Settings
General Settings:
- App name: Your application name
- App logo: Upload your application logo (optional)
SAML Settings:
- Single sign on URL:
https://{your-app-domain}/oauth2/callback - Audience URI (SP Entity ID):
https://api.tailor.tech/saml/{workspace_id}/{auth_namespace}/metadata.xml - Name ID format: EmailAddress
- Application username: Email
Step 3: Configure Attribute Statements
Add attribute statements to map Okta user attributes to your application:
| Name | Name format | Value |
|---|---|---|
| Basic | user.email | |
| firstName | Basic | user.firstName |
| lastName | Basic | user.lastName |
Configuring Auth Service
Once your Okta application is set up, configure the Auth service in your Tailor Platform application:
<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> "tailor_auth" "main_auth" {</span></span>
<span><span style="color: var(--shiki-color-text)"> workspace_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> var.workspace_id</span></span>
<span><span style="color: var(--shiki-color-text)"> namespace </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"main-auth"</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
<span><span style="color: var(--shiki-token-comment)"># OIDC Configuration</span></span>
<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> "tailor_auth_idp_config" "okta_oidc" {</span></span>
<span><span style="color: var(--shiki-color-text)"> workspace_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> var.workspace_id</span></span>
<span><span style="color: var(--shiki-color-text)"> namespace </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_auth.main_auth.namespace</span></span>
<span><span style="color: var(--shiki-color-text)"> name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"okta-oidc"</span></span>
<span><span style="color: var(--shiki-color-text)"> </span></span>
<span><span style="color: var(--shiki-color-text)"> oidc_config </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> client_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> var.okta_client_id</span></span>
<span><span style="color: var(--shiki-color-text)"> client_secret </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> vault_name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_secretmanager_vault.default.name</span></span>
<span><span style="color: var(--shiki-color-text)"> secret_name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_secretmanager_secret.okta_client_secret.name</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> provider_url </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"https://{your-okta-domain}"</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
<span><span style="color: var(--shiki-token-comment)"># SAML Configuration (alternative)</span></span>
<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> "tailor_auth_idp_config" "okta_saml" {</span></span>
<span><span style="color: var(--shiki-color-text)"> workspace_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> var.workspace_id</span></span>
<span><span style="color: var(--shiki-color-text)"> namespace </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_auth.main_auth.namespace</span></span>
<span><span style="color: var(--shiki-color-text)"> name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"okta-saml"</span></span>
<span><span style="color: var(--shiki-color-text)"> </span></span>
<span><span style="color: var(--shiki-color-text)"> saml_config </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> metadata_url </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">"https://{your-okta-domain}/app/{app_id}/sso/saml/metadata"</span></span>
<span><span style="color: var(--shiki-color-text)"> sp_cert_base64 </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> vault_name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_secretmanager_vault.default.name</span></span>
<span><span style="color: var(--shiki-color-text)"> secret_name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_secretmanager_secret.saml_cert.name</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> sp_key_base64 </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)"> vault_name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_secretmanager_vault.default.name</span></span>
<span><span style="color: var(--shiki-color-text)"> secret_name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_secretmanager_secret.saml_key.name</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>Testing the Integration
After configuring both Okta and the Auth service:
- Deploy your Tailor Platform application
- Login to your application using the Tailor CLI
- You should be redirected to Okta for authentication
- After successful authentication, you'll be redirected back to your application
Troubleshooting
Common Issues
Invalid Redirect URI
- Ensure the redirect URI in Okta matches exactly what's configured in your Auth service
- Check for trailing slashes and protocol mismatches
Metadata URL Not Found
- Verify your Okta domain and application ID in the metadata URL
- Ensure the SAML application is active and properly configured
User Profile Not Created
- Check that your TailorDB User type has the correct username field configured
- Verify that the email attribute is being passed from Okta
For production deployments, ensure you're using HTTPS URLs and have proper SSL certificates configured.