Is there a way to integrate Okta w/ Linux OSs without using AD? Skip to main content
https://support.okta.com/help/answers?id=9062a000000bm75qaa&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Ridha GadhgadhiRidha Gadhgadhi 

Is there a way to integrate Okta w/ Linux OSs without using AD?

We're looking to use Okta to provision & manage users to Linux OSs such as Ubuntu and CentOS. We're also looking to integrate Okta w/ MySQL Workbench. Both Linux OS and MySQL Workbench require ssh tunnel.

Is there a way to do this integration without using AD? 
Thomas KirkThomas Kirk (Okta, Inc.)
TL;DR create a SCIM connector.

Okta spports this flow using our On Premise Connector (https://support.okta.com/help/articles/Knowledge_Article/46749316-On-Premises-Provisioning-Deployment-Guide). See Creating SCIM Connectors (https://support.okta.com/help/articles/Knowledge_Article/30093436-Creating-SCIM-Connectors) to setup in your Okta org. You may need open a support ticket to have On Premise Provisioning turned on in your org.
Ridha GadhgadhiRidha Gadhgadhi
Hi Thomas, Thanks so much for your prompt reply! 
Does SCIM connector can be used to authenticate users to connect Linux systems using SSH tools? 

 
Gregory O'NeilGregory O'Neil (Okta)

Hello Ridha,

OPC is mainly for provisioning, authentication services could be handled via a variety of other methods, SAML, API, or using PAM via Radius would probably be your consideration for easiest SSH tunnel support.
 

Ridha GadhgadhiRidha Gadhgadhi
Hi Gregory,

1. Let's say OPC is impemented for MySQL, how users will access to MySQL? Which username and password they have to use? If the user's password has been changed in Okta, that password will automatically changed in MySQL as well?

2. Is there a way to use Okta as IdP and Linux Server as SP without using AD? If so, please advise.
Gregory O'NeilGregory O'Neil (Okta)
As suggested before, a more complete access solution might be better provided with a Radius server providing PAM module integration for both.

A directory is not required for SAML integration in and of itself; however, provisioning to a LDAP directory (which in theory could be AD or any other more typical Unix LDAP offerings is probably preferred) behind MySQL/Linux offers another option for managing the identities with local password stored in the directory and SWA application.

As for SAML integration options, one consideration is to use https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxInstall
There may be other options, this is just one possible way to host a web container configured to provide access for Linux and MySQL web driven interfaces that is federation aware without having passwords stored locally on the resource being accessed.

What are the access vectors to the systems being targeted? How do users access the Linux servers and MySQL applications and services today? Web only? ssh command line access? MySQL Admin tools? What Linux OS & version are you working with? Are you working to mitigate CVE-2016-5195 or other vulnerability, or just improving general identity controls? How many servers are you working with dozens? hundreds?

Options for where the password used is to be stored vary between the options. Many of the SWA/local credential options will have passwords stored local to the targeted system. SAML connections will likely be able to use the Okta password as the security challenge and the federation channel provides it's own security layer not requiring a separate credential challenge.

We would suggest working with Okta Professional Services to identify the best course of action for either assisted or self-implemented solutions.
Regards,
grego
 
Gregory O'NeilGregory O'Neil (Okta)
If the SSH tunnel is the only inbound access, then best case option is still PAM module with RADIUS server connecting your Okta credentials to the Radius server.
Gregory O'NeilGregory O'Neil (Okta)
Active Directory would not be required in most configuration options discussed.
Ridha GadhgadhiRidha Gadhgadhi
Thanks for sharing those details! Few more questions to understand how OPC works: You said previously that OPC is only for provisioning. That means we can create, delete (provision/deprovision) users through OPC. If a user is already exist in MySQL, can we import that user to Okta? Also, can we match that MySQL user to an existing Okta user? At the end, the user can sign into MySQL using Okta credentials? Can the user import be automated both ways? Can we configure Okta to be the master? Using OPC, passwords of MySQL users must stored locally or it'll fully handled by Okta? If the user password has been changed in Okta, can that user still able to access MySQL using the new Okta credentials? Thanks in advance, --Ridha
Tony YemmaTony Yemma (Okta, Inc.)
Hello Ridha,

This type of integration is not something we have an out of the box configuration for, as every environment is different.  We highly recommend working with our Professional Services team to evaluate your requirements and outline a solution to meet your needs.

Would you be open to a call to discuss your options further with our PS team?

FYO - I tried reaching out to you via the email addresses listed in our system, but both messages were undeliverable.  If you would like to discuss this further please let me know what a good email address is to contact you at.

Thanks,
Tony
Gregory O'NeilGregory O'Neil (Okta)

User-added imageAvailable from Admin Console for download. Yes, you can master identities from most any source of technology security used in the last 30 years and interconnected to most any kind of network. Connecting everything. Credentials management is flexibly managed as CISOs require for their particular organization; passwords, certificates, promoting frictionless identities, or as many policy driven challenges as is required to meet regulatory requirements for security with a variety of MFA factors, or simple password challenges. AuthN and adaptive role alignment, built on the UD foundation of secure data at rest profile management in one service, Okta.
 
Ridha GadhgadhiRidha Gadhgadhi
Hi Gregory and Tony,

We have contacted Okta to start testing OPC and PAM/RADIUS options. We are still waiting for Deep Sathe to move on the next step. Thanks.
Charles MorinCharles Morin
Hello,

Has there been any movement on the ability to use PAM/RADIUS with Linux systems? We are also interested in having our linux systems, specifically SSH, use MFA which would require auth to Okta.
 
Corey BurkeCorey Burke
We're interested in the same thing, with a twist. We'd like to use public RSA keys associated with the user to SSH into linux machines. Basically I'd like to add a SSH public key to an Okta user that would be made available via the already-on-the-roadmap Okta LDAP cloud service. I could then use SSSD to get the keys from Okta for authentication.
Joshua PrikoJoshua Priko
Hello All,
  Has there been any updates on rather this woudl work with PAM?