Unable to integrate okta with vault

[Giel DB]

Hi

I'm having trouble integrating okta with vault.

In short: I don't seems to get the org_name into auth/okta/config

I tried through vault cli, api and different vault version (including latest).

so it seems my org_name isn't set within the config.

Api:

~ $ less data.json
{

  "org_name": "mycompany",

  "base_url": "okta.com",

  "api_token": "xxx"

}

~ $ curl --header "X-Vault-Token: xxx" --request POST --data @data.json localhost:8200/v1/auth/okta/config

~ $ vault read auth/okta/config

Key     Value

---     -----

BaseURL okta.com

Org

Valut-cli:

~ $ vault write auth/okta/config org_name="mycompany" base_url="okta.com" api_token=“xxx"

Success! Data written to: auth/okta/config

~ $ vault read auth/okta/config

Key     Value

---     -----

BaseURL okta.com

Org

So whenever I try to auth towards okta, i get this error:

~ $ vault auth -method=okta username=giel.db

Password (will be hidden):

Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/okta/login/giel.db

Code: 400. Errors:

* Okta auth failed: Post https://.okta.com/api/v1/authn: dial tcp: lookup .okta.com: no such host

Can someone give me some insights into this?

Thanks in advance 

[Vishal Nayak]

Hi Giel,

Which version of Vault are you using? The `org_name` field in the Okta
configuration is a replacement for an older `organization` field.
Probably in the version of Vault you are using, there is no
`org_name`.

Regards,
Vishal

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/3b1693ec-4138-4bd3-b5eb-2d5ba68c63af%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
vn

[Giel DB]

Hi

Thank you for your reply!

I've tried both "organization" and "org_name" in version 0.7.2 and 0.9.3(latest) without success.

Base_url works fine and I can change this through api and cli without a problem. So I find it strange that I can't change the value of org_name/organization the same way I change base_url.

[Vishal Nayak]

Hi Giel,

I don't see anything unusual in the code that can cause this issue.

How does the output of `/auth/okta/config` look like in the latest release?

Regards,
Vishal

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/vault-tool/bd5327e3-f6da-411e-b0da-f488679831b5%40googlegroups.com.

[Giel DB]

Hi

The output in version 0.9.3 looks like this:

~ $ vault write auth/okta/config base_url="okta.com" org_name="mycompany" api_token="xxx"

Success! Data written to: auth/okta/config

~ $ vault read auth/okta/config

Key        Value

---        -----

BaseURL    okta.com

Org        n/a

 

Op maandag 12 februari 2018 18:10:05 UTC+1 schreef Vishal Nayak:

[Giel DB]

Hi Vishal

Just got it working! Mistake from my part.. I was running vault in a HA cluster, and didn't upgrade all vault instances in the cluster. All instances in my cluster are now at 0.9.3 and problem is solved.

Thanks you anyway for taking time into this!

Op dinsdag 13 februari 2018 09:26:56 UTC+1 schreef Giel DB:

[Steve Parker]

I know it's been a while since you're post, but I'm hoping you can tell me where you get the "api_token" for Okta from. I'm really new to Okta, and can't quite figure out how/where to get this token from. We've tried setting up an OAUTH app in Okta, but neither the clientID and Secret don't work for token. Can you tell me where that "token" value comes from?

$ vault write auth/okta/config base_url="okta.com" organization="<our-company>" token="?????"

$ vault login -method=okta username=<myID>
Password (will be hidden):
Error authenticating: Error making API request.
URL: PUT https://<ourvaulturl>v1/auth/okta/login/<myID>
Code: 400. Errors:
* Okta auth failed: HTTP Method: POST - URL: https://<our_company>.okta.com/api/v1/authn: - HTTP Status Code: 401, OKTA Error Code: E0000011, OKTA Error Summary: Invalid token provided, OKTA Error Causes: []

I've trie

[Steve Parker]

I forgot to mention that this is Vault 1.2.3. Sorry. I usually don't forget that.   - Steve

[Becca Petrin]

Hi Steve,

Ah! I see that in our docs, we refer to the token but we never explicitly state where to get it. Have you tried using an API token?

-B

[Steve Parker]

This is for the configuration of the Okta connection, not for a user to log in. Specifically the token mentioned in docs when I write the base config mentioned here:

$ vault write auth/okta/config \
    base_url="okta.com" \

    organization="dev-123456" \
    token="00KzlTNCqDf0enpQKYSAYUt88KHqXax6dT11xEZz_g"

I'll keep looking for how to find this token value from the Okta side.

Steve

[Becca Petrin]

Hi Steve,

Thanks for sharing that. I went to look at the Vault code here and I'm seeing that the "token" field has been deprecated, in favor of the "api_token" field just below that. Apologies for the outdated documentation, I'll make a note for our team to circle back and update those docs. It looks like if it's provided, it's used to parse Okta groups here, so it would need to be an API token belonging to any entity that has the ability to do that.

I hope that helps.

-Becca

[Steve Parker]

Becca,

That note/verbiage was exactly what I needed to make the mental jump to saying "set the token value to <null>" in the vault write auth/okta/config. I did the following:

$ : vault write auth/okta/config token=''

Success! Data written to: auth/okta/

config


$ : vault login -method=okta username=<My_OKTA_ID>
Password (will be hidden):
WARNING! The VAULT_TOKEN environment variable is set! This takes precedence
over the value set by this command. To use the value set by this command,
unset the VAULT_TOKEN environment variable or set it to the token displayed
below.


Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.


Key                    Value
---                    -----
token                  <token>
token_accessor         <accessor>
token_duration         768h
token_renewable        true
token_policies         ["default"]
identity_policies      []
policies               ["default"]
token_meta_policies    n/a
token_meta_username    <My_OKTA_ID>

[Becca Petrin]

Ah, great! Thanks for following up with the solution!

-B