Integrate Okta with OpenVPN Access Server via LDAP

Upgrade to Latest Version

Introduction

Configuring Okta to integrate with OpenVPN Access Server can be done with LDAP. This requires requesting the LDAP Interface feature added to your Okta account.

The following pieces will make up the LDAP integration between Okta and OpenVPN Access Server:

  • An active LDAP Interface in your Okta directory integrations
  • An Okta Read Only admin account as your bind user
  • Defining the configuration for the bind in OpenVPN Access Server

Create a bind user

  1. Sign in to the Okta Admin console with Super admin privileges and click Directory > People.
  2. Click on Add Person and enter a user named in a way that the label shows they’re the LDAP Bind user.
  3. After you have activated the user, click on Security > Administrators.
  4. Click on Add Administrator and begin typing your new user’s name in the “Grant administrator role to” field.
  5. Click the Read Only Administrator box for “Administrator roles” and click on Add Administrator.

Enable LDAP interface with Okta

  1. Sign in to the Okta Admin console with Super admin privileges and click Directory > Directory Integrations.
  2. Click on Add LDAP Interface . (If this isn’t an option, you will need to request it from Okta Support.)
  3. From the LDAP Interface page, you can see most of the settings necessary for the configuration in OpenVPN Access Server

Set up LDAP in OpenVPN Access Server

  1. Login to your Admin Web UI for the OpenVPN Access Server and click on Authentication > LDAP.
  2. Click on Use LDAP then Update Running Server to change from Local to LDAP authentication.
  3. Fill in the LDAP Settings with the following information from Okta:
Primary Server Host Name: <org_subdomain>.ldap.okta.com
Use SSL to connect to LDAP servers Yes
Credentials for Initial Bind Use these credentials = Yes
Bind DN uid=<bind user email>, dc=<org_subdomain>, dc=okta, dc=com>
Password Enter bind user’s Okta password
Base DN for User Entries OU=Users, DC=<org_subdomain>, DC=okta, DC=com
Username Attribute uid
Additional LDAP Requirement Add additional parameters here, for instance searching for members of a specific group, example: memberOf=CN=<group>, OU=groups, DC=<org_subdomain>, DC=okta, DC=com
  1. Click on Save Settings then Update Running Server to finish the configuration.

User can now log in

When users login to the OpenVPN Client UI, they can now use their Okta credentials for authentication.

Troubleshooting

If you encounter errors, refer to our LDAP troubleshooting guide for help.