Okta Integration

These instructions will help administrators configure Fiddler for use with an existing Okta single sign-on application.

Okta Setup:

To start, create an OIDC-based application in Okta. During the setup process, you will need to provide a callback URL, which will be supplied by your Fiddler services team. Make sure your application is configured to grant "Authorization Code" permissions for a client that acts on behalf of a user. Refer to the image below for an example of how your setup may appear:

At this point grant access to Fiddler for specific users within your organization through Okta. Use the "Group Assignments" field to select distinct groups of organization members who require Fiddler access. Additionally, this setup stage supports Role-Based Access Control (RBAC), enabling you to manage access based on designated groups within your application.

Once your application has been set up, your Fiddler services team requires the following details to complete the integration:

• Okta domain

• Client ID

• Client Secret

• Okta Account Type (default or custom)

This information can be accessed from your Okta application dashboard, as illustrated in the images below.

Another option for providing this information to your Fiddler services team is by sharing your okta.yml file.

Deployment instructions

Step 1 Create a <secret-filename>.yaml file with the following template

apiVersion: v1
kind: Secret
metadata:
  name: fiddler-sso-okta-credentials
  namespace: <NAMESPACE_NAME>
data:
  sso-okta-issuer: <OKTA_ISSUER> # https://<okta_domain>/oauth2/default
  sso-okta-authorize-url: <AUTHORIZE_URL> # https://<okta_domain>/oauth2/default/v1/authorize
  sso-okta-token-url: <TOKEN_URL> # https://<okta_domain>/oauth2/default/v1/token
  sso-okta-user-info-url: <USER_INFO_URL> # https://<okta_domain>/oauth2/default/v1/userinfo
  sso-okta-client-id: <CLIENT_ID>
  sso-okta-client-secret: <CLIENT_SECRET>
  sso-okta-domain: <DOMAIN> # your okta domain
  authorization-type: <AUTHORIZATION_TYPE> # default
type: Opaque

📘 All the values must be base64 encoded

On Mac OS X you can run echo -n "string to be encoded" | base64 to get the encoded value

📘 Do not use doubles quotes

Don’t use doubles quotes anywhere in values in above yaml. In above example, it is written set to “true” - the value is true and not “true”.

Step 2 Update the Kubernetes secret in the namespace of that cluster using the above file.

kubectl apply -f <secret-filename>.yaml -n fiddler

Step 3 Update the Helm variable fiddler.auth.sso.provider and fiddler.auth.sso.azuread.secretName with azuread and fiddler-sso-azuread-credentials value. If you are using the helm values file, use the following settings.

fiddler:  
  auth:  
    sso:  
      provider: okta  
      azuread:  
        secretName: fiddler-sso-okta-credentials

📘 Once the deployments are updated, the new SSO settings will be applied.

Logging into Fiddler:

Once an administrator has successfully created a deployment for your organization using your Okta credentials, you should see the “Sign in with SSO” button enabled. You should be able to navigate to an Okta login screen when you click this button. Once successfully authenticated, and assuming you have been granted access to Fiddler through Okta, you should be able to log in to Fiddler.

NOTES:

1. To log in using SSO, users must first register with Fiddler using the invitation link provided by their Fiddler Org Admin unless an Authorization automation process has been configured to auto-provision users on first SSO login. Check with your Fiddler services team for more details.

2. The information Fiddler stores for Okta-based logins is a user’s first name, last name, email address, and OIDC token.

3. Fiddler does not support using Okta authentication directly with Fiddler APIs. A valid access token is required which can be created and copied from the “Credentials” tab on Fiddler’s “Settings” page.