Okta: the Custom domain and TLS configuration

#sso #dns #ssl

You can use your own domain configured for Okta.

The one thing worth to mention here is the fact that Okta’s official plugin doesn’t work with a Custom domain feature so you’ll have to use Okta’s URL for the plugin authentification, see the documentation for details.

Custom domain configuration

Go to the Settings > Customization:

List down, find the Custom URL Domain:

Click on the Get Started, specify the domain you’d like to use, in this current case – the okta.example.com:

Okta will display DNS-record to be added:

Our domains served by the AWS Route53, go there and add the TXT-record:

Click the Next button in the Okta.

TLS

Now need to obtain an SSL-certificate for our domain.

Create a CSR, for example on the https://csrgenerator.com site.

In the Common Name set your domain to be used in Okta:

Save the result – the CSR itself and a private key

Go to your SSL’s issuer, it’s the 101domains in our case, buy a new certificate and specify the CSR from the data above:

Validate the domain. Again it depends on an SSL’s issuer, in our case, the DNS will be used:

Get the record to be added:

Add a CNAME-record in the Route53:

Ready:

TLS in Okta

Now go to the Okta and configure your TLS details.

Here we need to set the Private key and the Certificate.

The private key can be found from the data we got from the https://csrgenerator.com:

$ cat okta.example.com.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICrDCCAZQCAQAwZzELMAkGA1UEBhMCVUExHDAaBgNVBAMME29rdGEuYmV0dGVy
...
treVmmsKjfAsO8uSIZi1d3GTsHvlwAk7RKEaYBMunhRHRKfxr3484jZMQ16kmKaJ
wRy4TH8OOomvqVbjjIwbig==
-----END CERTIFICATE REQUEST-----

-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDKtyAK/6LRLdi/
5/W9yid++PPXs1vTyVDgaDU34pCw4iGTxLfAHYtRzJNINP4LIfsIz6TVAhHAC0tL
...
m2hlvU3wQiy+u3yLhR1FCMympFDf0PMbcGWDEC/N1WXprdAU04AIMTm/Qh2WFCHN
MqePCzr76wgdH8CNltHkAYsv/g==
-----END PRIVATE KEY-----

And the certificate itself can be taken from its issuer: