This section will guide you through using Okta as an OIDC provider for Kubeflow.

What You’ll Need


  1. Sign in to the Okta admin console with your admin account.

  2. From your admin console expand the Applications tab and select Applications on the left sidebar.

  3. Then, select Create App Integration.

  4. For the new app integration, follow the a-i steps below.

    1. Select the OIDC - OpenID Connect as the Sign-in method.

    2. Select the Web Application as the Application type .

    3. Click Next.

    4. Give the proper App integration name for your application, for example Kubeflow.

    5. Under the Grant type section enable Refresh Token.

    6. Under the Sign-in redirect URIs section click on the +Add URI button.

    7. Enter https://<FQDN>/authservice/oidc/callback. Replace <FQDN> with the FQDN of cluster, for example, arrikto-cluster.apps.example.com. In this case, the sign-in redirect URI is https://arrikto-cluster.apps.example.com/authservice/oidc/callback

    8. Under the Assignments section select the Allow everyone in your organization to access option.

    9. Click Save.

  5. Click on the General tab for your application.

    1. Under the Client Credentials section you can find both the CLIENT ID, and CLIENT SECRET.

    2. Click on the Copy to clipboard icon for the Client ID field and copy this value to your clipboard.

    3. Under the CLIENT SECRETS subsection, click on the Copy to clipboard icon to copy the client secret of your application to your clipboard.

    4. In the upper-right corner of the dashboard, click on the drop-down menu labeled with your email, and copy the Okta domain.

  6. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  7. Specify the client ID:

    root@rok-tools:~/ops/deployments# export OIDC_CLIENT_ID=<CLIENT_ID>

    Replace <CLIENT_ID> with the client ID you copied in step 5b.

  8. Specify the client secret:

    root@rok-tools:~/ops/deployments# export OIDC_CLIENT_SECRET=<CLIENT_SECRET>

    Replace <CLIENT_SECRET> with the client secret you copied in step 5c.

  9. Render the AuthService credentials:

    root@rok-tools:~/ops/deployments# j2 \ > kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env
  10. Set the public URL of your EKF installation:

    root@rok-tools:~/ops/deployments# export FQDN=<FQDN>

    Replace <FQDN> with your installation’s public URL. For example:

    root@rok-tools:~/ops/deployments# export FQDN=arrikto-cluster.apps.example.com
  11. Set the public URL of your application:

    root@rok-tools:~/ops/deployments# export OIDC_PROVIDER=https://<OKTA_DOMAIN>

    Replace <OKTA_DOMAIN> with the Okta domain URL you copied in step 5d.

  12. Configure AuthService to convert user emails to usernames:

    root@rok-tools:~/ops/deployments# export \ > USERID_TRANSFORMERS='[{"matches": "@<DOMAIN>", "replaces": "" }]'

    Replace <DOMAIN> with the domain of your organization. For example:

    root@rok-tools:~/ops/deployments# export \ > USERID_TRANSFORMERS='[{"matches": "@example\\.com", "replaces": "" }]'

    Make sure to include \\. With this example domain, AuthService will convert user IDs like user@example.com into user.


    USERID_TRANSFORMERS accepts a JSON formatted list of UserID transformation rules with the following format:

    USERID_TRANSFORMERS=[{"matches": "regex", "replaces": "value" }]

    AuthService will transform the UserID by finding the first transformation rule that matches regex and replacing it with value.

  13. Set the default Okta settings:

    root@rok-tools:~/ops/deployments# export USERID_CLAIM=preferred_username
    root@rok-tools:~/ops/deployments# export OIDC_SCOPES=profile,openid,offline_access
    root@rok-tools:~/ops/deployments# export AUTHSERVICE_URL_PREFIX=https://${FQDN?}/authservice/
    root@rok-tools:~/ops/deployments# export TEMPLATE_PATH=''
  14. Render the AuthService configuration:

    root@rok-tools:~/ops/deployments# j2 \ > kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.env.j2 \ > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.env
  15. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit \ > -am "Use the Okta OIDC provider for Kubeflow authentication"
  16. Apply the manifests:

    root@rok-tools:~/ops/deployments# rok-deploy \ > --apply kubeflow/manifests/common/oidc-authservice/overlays/deploy
  17. Restart the Pods manually:

    root@rok-tools:~/ops/deployments# kubectl delete pods -n istio-system -l app=authservice


  1. Ensure that the authservice StatefulSet is running. Verify that field STATUS is Running and field READY is 1/1:

    root@rok-tools:~/ops/deployments# kubectl get pods -n istio-system -l app=authservice NAME READY STATUS RESTARTS AGE authservice-0 1/1 Running 0 13s
  2. Log in with your Okta credentials at <FQDN>, where <FQDN> is the public URL of your EKF installation. For example, https://arrikto-cluster.apps.example.com.


You have successfully configured your EKF installation to allow users to log in with their Okta credentials.

What’s Next

Check out the rest of the services you can integrate Arrikto EKF with.