YubiEnroll with Okta

The following describes how to set up YubiEnroll in the Okta tenant and configure the required user permissions.

Configuration Steps

The configuration steps involve the following:

  1. Registering the YubiEnroll application in Okta.
  2. Configuring the YubiEnroll permissions in Okta.
  3. Adding the Okta provider in YubiEnroll.

When you have successfully completed these steps, you are ready to enroll YubiKeys on behalf of end users in your organization.

Registering the YubiEnroll App

When configuring the Okta provider in YubiEnroll, the following parameter values are needed:

  • client_id
  • domain
  • redirect_uri

These parameter values are created when registering the YubiEnroll (OAuth) application in Okta. To register the YubiEnroll app, open the Admin Console, go to Applications > Applications, and click Create App Integration.

  • When registering YubiEnroll, ensure to select “OIDC - OpenID Connect” as the Sign-in method and “Native Application” as the Application type in the Create new app integration dialog.

    _images/okta-new-app-integration.png

  • When adding the redirect URI in the New Native App Integration dialog, the Sign-in redirect URIs must start with “http://localhost”. You also need to specify a port, for example “http://localhost:8080/yubienroll-redirect”.

  • Ensure to select the “Refresh Token” option under Grant type > Core Grants so that the YubiEnroll app will issue a refresh token once it expires.

    _images/okta-app-refresh-token1.png

For more details on how to register the YubiEnroll app, see Create an OAuth 2.0 app in Okta (Okta documentation).

During registration, the following values needed to configure YubiEnroll are created:

  • Application (client) ID
  • Directory (tenant) ID
  • Sign-in redirect URI

Configuring Permissions

The permissions required by YubiEnroll in Okta are “okta.users.manage” and “okta.users.read”. To configure these, open the YubiEnroll app in Okta, select “Okta API scopes”, locate the scopes and click Grant for each of them.

_images/okta-permissions.png

To be able to perform enroll on behalf of an end user, the user (IT admin for example) must have either the Super Administrator, Group Administrator, or Organization Administrator role in Okta.

Adding the Okta Provider

Before you can run YubiEnroll with Okta, you must add the provider configuration in YubiEnroll.

When adding a provider configuration in YubiEnroll you will need the following values, created when the app was registered:

  • Application (client) ID
  • Directory (tenant) ID
  • Redirect URI

The “Client ID” and “Redirect URI” can be found in the General tab in the Applications view in Okta. The “Okta Domain (tenant ID)” can be found in the Okta admin dashboard when clicking on the admin profile in the upper right corner, it will be displayed under the email address.

For information on how to add a provider configuration in YubiEnroll, see Adding Provider Configurations.