Okta
Configure Okta as a single sign-on (SSO) provider for Seqera Platform using OpenID Connect.
Prerequisites
Before you begin, you need:
- An Okta organization
- Administrator access to create applications
Ensure you know how to create Okta app integrations. See Okta's documentation on creating OIDC app integrations for more information.
Create an Okta app integration
- In the Admin Console, go to Applications > Applications.
- Select Create App Integration.
- Select OIDC - OpenID Connect as the sign-in method and Web Application as the application type.
- Enter a name for the app, e.g.,
Seqera. - Set the sign-in redirect URI to
https://<HOST>/oauth/callback/oidc(must be HTTPS) - replace<HOST>with your enterprise installation hostname. - Set the sign-out redirect URI to
https://<HOST>/logout. - Note the Client ID and Client secret from the application settings.
- Note the Issuer URL from Sign On > OpenID Connect ID Token.
Configure Seqera
Add the following environment variables to your Seqera configuration:
| Variable | Description |
|---|---|
TOWER_OIDC_CLIENT | The client ID from step 7 |
TOWER_OIDC_SECRET | The client secret from step 7 |
TOWER_OIDC_ISSUER | The issuer URL from step 8 |
note
Connection strings can differ based on the issuer type. Verify the issuer URL via the Okta console.
Restrict access
To restrict access to specific email addresses or domains, configure an allow list in tower.yml:
tower:
auth:
oidc:
allow-list:
- "*@your-company.example.com"
- "specific-user@another-company.example.net"
See User access allow list for more information.