10.9.1. Introduction¶

The okta-oidc method is used to implement single sign-on authentication using the Okta OpenID Connect (OIDC) service.

This allows Okta accounts to authenticate in SFTPPlus as administrators or file transfer accounts.

To integrate SFTPPlus with an Okta account, you have to create a new app integration dedicated to SFTPPlus inside Okta Admin Console. Some SFTPPlus details need to be added to your Okta app setup as well. You can then configure the Okta app details in SFTPPlus. In this way, SFTPPlus and Okta can work together and trust each other.

Okta OIDC provides both authentication and authorization processes. For SFTPPlus integration, Okta OIDC is primarily used for authentication. You have to define the authorization rules inside the SFTPPlus configuration.

It is recommended to configure the Okta OIDC authentication method as the first method in your authentication chain, before the SFTPPlus Application Accounts authentication.

If an authenticated Okta session already exists for the user, SFTPPlus doesn't prompt for it and uses the user already authenticated by Okta. Get in touch if you would like SFTPPlus to always ask for the Okta username.

The Okta authentication process should finalize in less than two minutes. For security reasons, SFTPPlus rejects delayed authentication requests.

For SFTPPlus to integrate with Okta authentication, it needs to be able to initiate outgoing connections to your Okta org authorization server over HTTPS port 443. Make sure your firewall allows outgoing connections. An HTTP proxy can be used by SFTPPlus to connect to the Okta authorization server.

10.9.2. Okta OIDC app integration configuration¶

Besides defining the Okta OIDC authentication method inside the SFTPPlus configuration, you also need to define SFTPPlus details inside your Okta manager console.

SFTPPlus interacts with Okta as an OpenID Connect and OAuth2 application.

You need to register your SFTPPlus app in Okta by creating an app integration from the Admin Console.

Open the Okta Admin Console for your org, and start creating a new integration:

• Choose Applications to view the app integrations main page.

• Click Create App Integration.

• Select OIDC - OpenID Connect as the Sign-in method.

• Select Web Application as the Application type, then click Next.

• Enter a name for this SFTPPlus integration with Okta.

• Make sure Proof of possession is not required.

• Grant type should be Authorization Code. No need to select other types.

In the Sign-in redirect URIs box, enter the base URL where the SFTPPlus HTTPS or Web Manager services are installed.

The base URL is configured inside Okta, using the following format, where SERVER:PORT will be replaced with the address for your HTTPS web file browser, and AUTH-UUID with the unique ID of this Okta authentication method as generated by SFTPPlus: https://SERVER.COM:PORT/?redirect-AUTH-UUID

For now, SFTPPlus only support logins that are initiated by the SFTPPlus login page. Therefore, you should configure Login initiated by > App only. Okta initiated logins are not yet supported. Get in touch with our support team if you need Okta initiated logins.

For the sign-out redirect, you can configure it as https://SERVER.COM:PORT/__chsps__/logout.

There is no need to define Trusted Origins.

From the Controlled access you can restrict, at Okta level, the Okta users allowed to access the SFTPPlus application.

You can then save the configuration.

From the General tab of your app integration, save the generated Client ID and Client secret values. These values are then set inside the SFTPPlus configuration.

We recommend creating a separate Okta app integration for each SFTPPlus installation.

10.9.3. name¶

Default value:

''

Optional:

Yes

From version:

2.10.0

Values:

• Any text.

Description:

Human-readable short text used to identify this method.

10.9.4. description¶

Default value:

''

Optional:

Yes

From version:

2.10.0

Values:

• Any text.

Description:

Human-readable text that describes the purpose of this authentication method.

10.9.5. type¶

Default value:

''

Optional:

No

From version:

2.10.0

Values:

• application - Application accounts.

• os - Accounts authenticated by the OS.

• http - HTTP (unsecured).

• ip-time-ban - Ban an IP address for a time interval.

• deny-username - Deny authentication based on usernames.

• anonymous - Anonymous account authentication.

• ldap - Authenticate against an LDAP server.

• local-file - Authenticate the accounts from a separate local file.

• radius - Authenticate via a RADIUS server.

• entra-id - Microsoft Entra ID

• google-identity - Google Identity

Description:

This option specifies the type of the method. Each type has a set of specific configuration options

10.9.6. okta_domain¶

Default value:

Empty

Optional:

No

Values:

• Text

From version:

5.12.0

Description:

The name of the Okta domain for which SFTPPlus was configured.

This can be something like YOUR-ORG.okta.com or CUSTOM-AUTH.YOUR-ORG.COM.

10.9.7. client_id¶

Default value:

Empty

Optional:

No

Values:

• Text

From version:

5.12.0

Description:

Client ID of the SFTPPlus credentials inside Okta Admin Console. This value is obtained after creating a new application integration inside Okta.

10.9.8. password¶

Default value:

Empty

Optional:

Yes

Values:

• plain text

From version:

5.12.0 This is the client secret generated by Okta Admin for the SFTPPlus application.

10.9.9. base_groups¶

Default value:

Empty

Optional:

yes

Values:

• Empty

• Group UUID.

• Comma-separated list of group UUIDs.

From version:

5.12.0

Description:

Defines the SFTPPlus groups that are associated with any authenticated users.

Leave empty to not have any default group, and only use the groups associated via Okta groups.

The first configured base group is also the primary group.

10.9.10. group_association¶

Default value:

base-groups

Optional:

No

Values:

• base-groups

• base-and-cloud-groups

From version:

5.12.0

Description:

Defines the SFTPPlus groups that are associated with authenticated users.

When set to base-groups, it associates any authenticated Okta user with the list of groups configured via the base_groups configuration option.

When set to base-and-cloud-groups, it associates the user with the list of groups defined via the base_groups option and the SFTPPlus groups having the same name as the Okta groups that this user is a member of.

If the user is associated with Okta groups not configured in SFTPPlus, those groups are ignored.

If no Okta groups are found for this user, only the base groups are used.

If the authenticated user has no associated SFTPPlus group in Okta cloud and base_groups is empty, the authentication fails.

The Okta groups are associated with SFTPPlus groups if they have the same name. The matching of the groups is case-sensitive.

10.9.11. base_roles¶

Default value:

Empty

Optional:

yes

Values:

• Empty

• Role UUID.

• Comma-separated list of role UUIDs.

From version:

5.12.0

Description:

Defines the SFTPPlus roles that are associated with an authenticated administrator.

The first configured base role is also the primary role.

Danger

When this option is defined (not empty), any Okta user that is accepted as part of the SFTPPlus Okta application configuration is allowed to connect to the SFTPPlus management web console.

We recommend creating an Okta application dedicated to the SFTPPlus management web console, which is separated from the Okta application dedicated to file transfers.

10.9.12. proxy¶

Default value:

''

Optional:

Yes

Values:

• URI like expression.

• connect://12.342.421.2:3128

From version:

5.12.0

Description:

This configures the proxy used by SFTPPlus to connect to the Okta cloud services.

For now, only the HTTP/1.1 CONNECT tunnelling proxy method is supported.