Is there a way to integrate Okta w/ Linux OSs without using AD?
We're looking to use Okta to provision & manage users to Linux OSs such as Ubuntu and CentOS. We're also looking to integrate Okta w/ MySQL Workbench. Both Linux OS and MySQL Workbench require ssh tunnel.
Is there a way to do this integration without using AD?
OPC is mainly for provisioning, authentication services could be handled via a variety of other methods, SAML, API, or using PAM via Radius would probably be your consideration for easiest SSH tunnel support.
1. Let's say OPC is impemented for MySQL, how users will access to MySQL? Which username and password they have to use? If the user's password has been changed in Okta, that password will automatically changed in MySQL as well?
2. Is there a way to use Okta as IdP and Linux Server as SP without using AD? If so, please advise.
As suggested before, a more complete access solution might be better provided with a Radius server providing PAM module integration for both.
A directory is not required for SAML integration in and of itself; however, provisioning to a LDAP directory (which in theory could be AD or any other more typical Unix LDAP offerings is probably preferred) behind MySQL/Linux offers another option for managing the identities with local password stored in the directory and SWA application.
As for SAML integration options, one consideration is to use https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxInstall There may be other options, this is just one possible way to host a web container configured to provide access for Linux and MySQL web driven interfaces that is federation aware without having passwords stored locally on the resource being accessed.
What are the access vectors to the systems being targeted? How do users access the Linux servers and MySQL applications and services today? Web only? ssh command line access? MySQL Admin tools? What Linux OS & version are you working with? Are you working to mitigate CVE-2016-5195 or other vulnerability, or just improving general identity controls? How many servers are you working with dozens? hundreds?
Options for where the password used is to be stored vary between the options. Many of the SWA/local credential options will have passwords stored local to the targeted system. SAML connections will likely be able to use the Okta password as the security challenge and the federation channel provides it's own security layer not requiring a separate credential challenge.
We would suggest working with Okta Professional Services to identify the best course of action for either assisted or self-implemented solutions. Regards, grego
Thanks for sharing those details!
Few more questions to understand how OPC works:
You said previously that OPC is only for provisioning. That means we can create, delete (provision/deprovision) users through OPC.
If a user is already exist in MySQL, can we import that user to Okta? Also, can we match that MySQL user to an existing Okta user? At the end, the user can sign into MySQL using Okta credentials?
Can the user import be automated both ways? Can we configure Okta to be the master?
Using OPC, passwords of MySQL users must stored locally or it'll fully handled by Okta? If the user password has been changed in Okta, can that user still able to access MySQL using the new Okta credentials?
Thanks in advance,
This type of integration is not something we have an out of the box configuration for, as every environment is different. We highly recommend working with our Professional Services team to evaluate your requirements and outline a solution to meet your needs.
Would you be open to a call to discuss your options further with our PS team?
FYO - I tried reaching out to you via the email addresses listed in our system, but both messages were undeliverable. If you would like to discuss this further please let me know what a good email address is to contact you at.
Available from Admin Console for download. Yes, you can master identities from most any source of technology security used in the last 30 years and interconnected to most any kind of network. Connecting everything. Credentials management is flexibly managed as CISOs require for their particular organization; passwords, certificates, promoting frictionless identities, or as many policy driven challenges as is required to meet regulatory requirements for security with a variety of MFA factors, or simple password challenges. AuthN and adaptive role alignment, built on the UD foundation of secure data at rest profile management in one service, Okta.
We're interested in the same thing, with a twist. We'd like to use public RSA keys associated with the user to SSH into linux machines. Basically I'd like to add a SSH public key to an Okta user that would be made available via the already-on-the-roadmap Okta LDAP cloud service. I could then use SSSD to get the keys from Okta for authentication.