Okta SSO Configuration

Written By Dan Crawford

Last updated 6 days ago

PGP Single Sign-On (SSO) with Okta

PGP supports Single Sign-On through Okta integration. This guide will walk you through the setup process, which involves verifying your domain ownership, creating an Okta application, and configuring the integration in PGP. You'll need three key pieces of information to complete the setup: 

  • Client ID

  • Client Secret

  • Issuer URL

Domain Verification

The first step is to verify ownership of your domain by adding a DNS TXT record. Access your domain's DNS settings or management interface where you'll need to add a TXT record. The record should follow the format "PGP=<email>", where <email> is your primary PGP account email address. The SSO setup pup up will show the correct value that needs to be added for the DNS record:

At your DNS  management interface, set the text record for your root domain. For example, if your domain is YourDomain.com and your record is set at the root level (@), you would add a TXT record with the value "PGP=YourPrimaryEmail@email.com". Within the PGP setup pop-up, you can copy and paste this value:

Once Set, your DNS TXT record might look something like this. 

YourDomain.com

Record type:

value:

@

TXT

"PGP=YourPrimaryEmail@email.com"

To verify that your record has been published, you can run the command dig +short TXT YourDomain.com if on a Mac or nslookup -type=TXT YourDomain.com if using Windows, and look for your record in the output.

Creating and Configuring the Okta Application

Begin by logging into your Okta admin dashboard at login.okta.com. Navigate to the Applications section and create a new app integration. When configuring the application, select "OIDC - OpenID Connect" as your sign-in method and "Web Application" as your application type.

Click Next at the bottom.

Name your application "PGP" and configure the redirect URIs. The sign-in redirect URI should be set to https://praetorian-PGP.auth.us-east-2.amazoncognito.com/oauth2/idpresponse, and the sign-out redirect URI should be https://PGP.praetorian.com/login. Remember to configure access for any users who will need to access PGP via SSO - this can be done under Assignments.

Optional Okta Tile Configuration

You may want to configure the PGP Okta tile for easier access. In your application's General Settings, configure the login settings to allow initiation from either Okta or the app, enable the application icon display for users, and set the login flow to redirect to the app. Set the initiate login URI to https://PGP.praetorian.com/login.

Here's the step-by-step:

1. Under General > General Settings click the Edit link.

2. Under General > Login update the following settings:

  • Login initiated by - Either Okta or App.

  • Application visibility - ensure that “Display application icon to users” is enabled.

  • Login flow - choose “Redirect to app to initiate login (OIDC Compliant)”.

  • Initiate login URI - set to “https://PGP.praetorian.com/login”.

7. Hit “Save” to confirm your configuration changes.

Integrating with PGP

To complete the integration, log in to PGP using your existing credentials at https://PGP.praetorian.com/login. Click Settings on the bottom left menu then the Account Settings tab. From there, you can begin the SSO setup process.

You'll need to provide several pieces of information: your email domain (such as "praetorian.com"), the Client ID and Client Secret (found in your Okta application's Client Credentials section), and your Issuer URL (your Okta login base URL, like "https://companyname.okta.com"). You can find the Client ID and Client Secret here:

Fill out the pop-up with the appropriate information:

Once you have filled in all of the fields, hit Save. Your users should now be able to log in to PGP using Okta as their identity provider.

Post-Setup Information

Once the setup is complete, users can access PGP through the Sign in with SSO portal on the login page.

It's worth noting that you can remove the DNS TXT record after completing the SSO setup. However, if you need to make any changes to the SSO configuration, such as rotating secrets, you'll need to temporarily re-add the TXT record during the configuration process.

If you encounter any difficulties during setup or need assistance with SSO, reach out to support@praetorian.com for help.

By following these steps, you'll establish a secure and convenient SSO connection between your Okta instance and PGP, allowing for streamlined access management and improved user experience.