Skip to main content

Tutorial: Integrate Okta with Access Server via LDAP

Abstract

Configuring Okta to integrate with Access Server can be done with LDAP. This requires requesting the LDAP Interface feature added to your Okta account.

Overview

Configuring Okta to integrate with Access Server can be done with LDAP. This requires requesting the LDAP Interface feature added to your Okta account.

The following pieces will make up the LDAP integration between Okta and OpenVPN Access Server:

  • An active LDAP Interface in your Okta directory integrations.

  • An Okta Read Only admin account as your bind user.

  • Defining the configuration for the bind in Access Server.

integrate-okta-ldap.jpg

Prerequisites

  • An installed Access Server.

  • An Okta directory.

Step 1: Create a bind user

  1. Sign in to the Okta Admin Console with Super admin privileges.

  2. Click Directory > People.

  3. Click Add Person and enter a username to distinguish them as the LDAP bind user.

  4. After activating the user, click Security > Administrators.

  5. Click Add Administrator and type your new user's name in the Grant administrator role to field.

  6. Click Read Only Administrator.

  7. Click Add Administrator.

Step 2: Enable LDAP interface with Okta

  1. Sign in to the Okta Admin Console with Super admin privileges.

  2. Click Directory > Directory Integrations.

  3. Click Add LDAP Interface.

    Tip

    If this isn't an option, you must request it from Okta Support.

  4. From the LDAP Interface page, you'll find most of the settings necessary for the configuration in Access Server.

    integrate-okta-LDAP-DN.jpg

Step 3: Set up LDAP in Access Server

  1. Sign in to the Admin Web UI.

  2. Click Authentication > LDAP.

  3. Fill in the LDAP settings with the following information from Okta:

    Primary Server

    Host Name: <org_subdomain>.ldap.okta.com

    Use SSL to connect to LDAP servers

    Yes

    Credentials for Initial Bind

    Use these credentials = Yes

    Bind DN

    uid=<bind user email>, dc=<org_subdomain>, dc=okta, dc=com

    Password

    Enter the bind user's Okta password.

    Base DN for User Entries

    OU=Users, DC=<org_subdomain>, DC=okta, DC=com

    Username Attribute

    uid

    Additional LDAP Requirements

    Add additional parameters here, for instance, searching for members of a specific group, for example: memberOf=CN=&lt;group&gt;, OU=groups, DC=&lt;org_subdomain&gt;, DC=okta, DC=com

    • Users can now sign in with their Okta credentials.

In this section: