Objective:
This support document outlines the steps to implement OIDC authentication for Nomad using Okta as idP. This document does not include a comprehensive configuration needed for Nomad or Okta, and the user may have to further tailor the configurations keeping compliance and security in mind.
Configure Okta OIDC Application:
Note: Please follow the screenshots and brief information provided about it.
Step 1: Login to Okta
Step 2:
Click on the 3 bars icon on the top-left of the page, and click on Applications, and again on Applications:
Step 3:
Click on "Create App Integration" button, then select "OIDC-OpenID Connect" and "Web Application", as the implementation use case is for Nomad, which is of Web application kind.
Step 4:
On General Tab, Put in the details about the app integration for Nomad, like:
- App integration name : This will appear on Nomad page for Login
- Sign-in redirect URIs
- Assignments: This is to control access to limited group of users
Note about Redirect URIs: Please use a correct set of URIs as per your infrastructure, and its critical for the redirect URIs to be identical in Okta and in Nomad configuration under field: "AllowedRedirectURIs". If the URIs in Okta and Nomad configuration dont match, the OIDC authentication will not function.
Logging in via the Nomad UI requires a redirect URI of the form:
http://localhost:4646/ui/settings/tokens
or,
http://{host:port}/ui/settings/tokens
The "host:port" must be correct for the Nomad agent serving the Nomad UI.
Step 5:
This completes the general configs needed to be done on Okta, please keep note of fields like "client id" and "client secret", as it will be used to configure OIDC configuration on Nomad.
Step 6:
On Sign-on Tab, Now We'll have to do further configuration under OpenID Connect ID Token section, and setup Filter to extract correct group claims, from the configured groups for user. The group filter condition in this case is matching all groups in Okta because of regex ".*"
Step 7:
Now, Lets assign users to the OIDC app integration. You'll need to go back to Applications page, where you see your Okta OIDC app listed, and then click on the button "Assign users to App"
Now you see a view, where you need to select which user go to which OIDC App, Select the relevant check box and Confirm the selection.
Step 8:
On Okta API Scopes tab, please grant the scope access as required for specific use case, this article will be granting scopes for user groups
We have completed the Okta side of configuration and now we need to move on to Nomad based configuration
Nomad OIDC Configuration:
Step 9:
Make sure Nomad is running with ACLs enabled, and you have access to privileged or Bootstrap ACL tokens to run commands for creating Nomad auth-methods and binding-rules to complete the OIDC configuration.
Below is the sample OIDC configuration on Nomad:
File: oidc.json
{
"OIDCDiscoveryURL": "https://******.okta.com",
"OIDCClientID": "0oaf8*******5d7",
"OIDCClientSecret": "8W***************1V4",
"VerboseOIDCLogging": true,
"OIDCScopes": ["profile","groups"],
"AllowedRedirectURIs": [
"http://localhost:4649/oidc/callback",
"http://localhost:4646/ui/settings/tokens"
],
"ClaimMappings": {
"first_name": "first_name",
"last_name": "last_name"
},
"ListClaimMappings": {
"groups": "groups"
}
}
Step 10:
Create Nomad Auth method of OIDC type:
$ nomad acl auth-method create -type=oidc \
-name=Okta4Nomad -max-token-ttl=5m \
-token-locality local -config=@oidc.json
Validate the Auth-method creation:
$ nomad acl auth-method info Okta4Nomad
Step 11:
Create an ACL policy and Role appropriately as per your requirement, Here we are using a sample policy for the purpose of demo:
Nomad Policy:
// Grants read access to the namespace “default”.
namespace "default" {
policy = "read"
}
// Grants read access to Nomad nodes.
node {
policy = "read"
}
$ nomad acl policy apply oidc nomad_policy.hcl
* please note that you need to have your own custom nomad policy hcl config file for policy and role creation
$ nomad acl role create -name oidc-role -policy oidc
Validate ACL Roles and policies have been created correctly using below commands :
$ nomad acl role list
$ nomad acl policy list
Step 12:
Create a binding-rule to match the role created with the Auth-method:
The binding-rule will glue the Role created with Auth-method. So a user assigned to a certain OIDC application will only have privileges defined by underlying policy and role assigned with the help of Binding-rule. As per below binding rule, only users who are a part of nomad group will be able to authenticate, and thats because of -selector flag, which restricts rest of the users, that are not a part of "nomad" group
$ nomad acl binding-rule create \
-description "binding oidc role to Okta4Nomad" \
-auth-method "Okta4Nomad" -bind-type "role" \
-bind-name "oidc-role" -selector="nomad in list.groups"
Note: Please note that the "-bind-name" flag is the role name. Also note that the -selector flag is being used with "nomad", because its a group which was created and assigned to user as a pre-work for this demo. You'll need to create/use relevant group names for selector flag.
We are now completed with configuring OIDC authentication from Okta and Nomad side.
Testing the Access:
Login to Nomad UI, the Click on Sign-in, then Sign in with Okta4Nomad using SSO, as below :
And Below is how it looks after logging in Successfully :
With this, Implementation for configuring OIDC for Nomad using Okta as idP is successful and hopefully be beneficial for all those who are looking to have SSO login enabled for Nomad using OIDC.
References:
- https://developer.hashicorp.com/nomad/tutorials/access-control/sso-oidc-auth0
- https://developer.okta.com/docs/concepts/oauth-openid