Vault authentication with Okta

Question

We have a setup of Vault cluster and we are trying to authenticate Vault with Okta. Have enabled auth and configured it:

vault auth enable okta
vault write auth/okta/config base_url="BASE_URL" organization="ORG" token="TOKEN"

Whenever I trying to authenticate against Okta in the Vault UI, I am getting this error:

Authentication failed: Okta auth failed: HTTP Method: POST - URL: https://org.okta.com/api/v1/authn: - HTTP Status Code: 401, OKTA Error Code: E0000004, OKTA Error Summary: Authentication failed, OKTA Error Causes: []

The catch is we are using Google as IdP. Login requests are being sent to Google. In Okta we configured Google as IDP.

If I save a user's credentials in the Okta itself then it works. So, is there a way to authenticate via Okta when IDP is Google?

Answer 1

You are using the Okta auth method within Vault. This will just post your credentials against the AuthN endpoint of Okta to validate them and grant access based on the response.

With Google as the user's IDP within Okta you will need to setup the JWT/OIDC auth method in Vault and configure Vault in Okta. When the user authenticates their browser will redirect to Okta to complete sign-in which will redirect them to Google to authenticate if they do not already have a session.

Answer 2

I'm not familiar with Vault, but it looks to me like Vault is doing a simple AuthN Authentication, basically just checking a Username/Password against Okta.

So, unfortunately, from what I see with what you provided doing Social Authentication to Okta then logging into Vault might not be supported by Vault.

Now, if you create a local account in Okta, and the Authentication works, then we can confirm that Vault is not properly supporting Federation (Single Sign-on) :(

Unfortunately, Vault would need to support Federation to allow you to login via Google, then log into Vault.