Am Wed, Nov 09, 2022 at 08:09:16PM -0000 schrieb Russ Long via FreeIPA-users:
Hello,
I am working on a test environment to test the integration of Okta as an external IDP.
According to the docs, this is supported, however there is no okta-specific documentation
that I can find.
Hi,
which version of SSSD are you using, there are some fixes which are
affecting Okta as well added recently, see e.g.
https://bugzilla.redhat.com/show_bug.cgi?id=2111388.
bye,
Sumit
I have okta configured as follows:
[root@ipa-primary ~]# ipa idp-show okta
Identity Provider server name: okta
Authorization URI:
https://ORGNAME.okta.com/oauth2/v1/authorize
Device authorization URI:
https://ORGNAME.okta.com/oauth2/v1/device/authorize
Token URI:
https://ORGNAME.okta.com/oauth2/v1/token
User info URI:
https://ORGNAME.okta.com/oauth2/v1/userinfo
Client identifier: CLIENTID
Scope: openid email
External IdP user identifier attribute: email
I also have the Secret configured, as the Okta side is configured to require the secret.
When I attempt to perform a login operation using a user configured for this external
IDP, I get the following errors (partially redacted for brevity and security):
Nov 09 14:58:43
ipa-primary.ipa.DOMAIN.COM oidc_child[5749]: libcurl: > POST
/oauth2/v1/device/authorize HTTP/2
Host:
ORGNAME.okta.com
user-agent: SSSD
oidc_child/0.0
accept:
application/json
content-length:
49
content-type:
application/x-www-form-urlencoded
Nov 09 14:58:43
ipa-primary.ipa.DOMAIN.COM oidc_child[5749]:
{"error":"invalid_client","error_description":"Client
authentication failed. Either the client or the client credentials are invalid."}
Is there any Okta-specific documentation I can reference, or does anyone know where my
configuration issue may be?
Thanks,
Russ
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue