dependency-track
dependency-track copied to clipboard
DependencyTrack
Not able to Integrate with OKTA application
Current Behavior
Hello Team, We are finding it difficult to integrate Dependency Track v4.7 to the OKTA. As there is not direct approach mentioned in the documentation also. Please help us on that front.
Proposed Behavior
Either Provide a Documentation on how to integrate it with the OKTA or SAML authentication.
Checklist
- [X] I have read and understand the contributing guidelines
- [X] I have checked the existing issues for whether this enhancement was already requested
Hi @SecMantra , I have already integrated OKTA with DT, specify issues you are facing
Hi @sgupta22altair , Thank you for responding to my issue, In particular we are facing the issue with the SSO login as we are not able to directly log users via SSO and also redirection to okta login is working fine, but when we are entering user password it keeps on waiting... It would be great if we can get some documentation on how to integrate with OKTA SSO or SAML authentication.
Thank You
Hello, Any update on this issue, Does any have any idea OKTA SSO or SAML authentication
Hi @SecMantra
Below is the configuration that I use to integrate Okta
dtrack-apiserver service
- ALPINE_OIDC_ENABLED=true
- ALPINE_OIDC_ISSUER=
- ALPINE_OIDC_CLIENT_ID=
- ALPINE_OIDC_USERNAME_CLAIM=preferred_username
- ALPINE_OIDC_TEAMS_CLAIM=groups
- ALPINE_OIDC_USER_PROVISIONING=true
- ALPINE_OIDC_TEAM_SYNCHRONIZATION=true
dtrack-frontend service
- API_BASE_URL=
- OIDC_ISSUER=
- OIDC_CLIENT_ID=
- "OIDC_SCOPE=openid email profile groups"
- "OIDC_FLOW="
- OIDC_LOGIN_BUTTON_TEXT=SSO
@g-sahil22 I'm having an issue with integrating with Okta. Its not passing back the groups for some reason. I'm seeing:
ERROR [OidcAuthenticationService] Unable to assemble complete profile and groups=null
Do you have any recommendations? I configured the OIDC application as 'Single Page App (SPA)'
Thanks!
Nevermind, I figured it out. The Groups claim filter in the okta app needs to be set to groups Matches regex .*
@fdx0 did you manage to get user provisioning to work with Okta ? It's the last bit we are struggling with. Wehave to rely on manual user creation for the moment
@sebastienDelcoigne Yes, user provisioning works. You need to be using an OIDC app configured as SPA (single page app). Make sure you groups claim filter set correctly:
Dependency tracker should be configured as suggested above. You also need to create OpenID Connect Group mappings in deptrack under Access Management > OpenID Connect Groups. These should match the group names in Okta and map to the deptrack team names.
Hi @fdx0,
I've exactly the same configuration in Okta. And SSO login works as expected. But I didn't manage to make user provisioning working. That means we must manually create users in DependencyTrack.
I'm surprised it's working for you because I've found a post where a developer from Okta explains provisioning for OIDC applications is not supported (SCIM should be used instead). But it was few years ago...
Source: https://devforum.okta.com/t/confused-about-provisioning-with-oidc/4270
Do you still confirm you managed to implement it? If yes, can you please also share your DependencyTrack configuration?
Thank you very much for your help!
Kind regards,
Hi @Nicolas-Esteves
The assumption here is that you have a postgresql database and a web server like apache acting as a proxy for the docker containers.
docker-compose.yml
version: '3.7'
#####################################################
# This Docker Compose file contains two services
# Dependency-Track API Server
# Dependency-Track FrontEnd
#####################################################
volumes:
dependency-track:
services:
dtrack-apiserver:
image: dependencytrack/apiserver
network_mode: bridge
environment:
# The Dependency-Track container can be configured using any of the
# available configuration properties defined in:
# https://docs.dependencytrack.org/getting-started/configuration/
# All properties are upper case with periods replaced by underscores.
#
# Database Properties
- ALPINE_DATABASE_MODE=external
- ALPINE_DATABASE_URL=jdbc:postgresql://[host]:5432/[deptrack_db_name]
- ALPINE_DATABASE_DRIVER=org.postgresql.Driver
- ALPINE_DATABASE_USERNAME=[username]
- ALPINE_DATABASE_PASSWORD=[password]
- ALPINE_DATABASE_POOL_ENABLED=true
- ALPINE_DATABASE_POOL_MAX_SIZE=20
- ALPINE_DATABASE_POOL_MIN_IDLE=10
- ALPINE_DATABASE_POOL_IDLE_TIMEOUT=300000
- ALPINE_DATABASE_POOL_MAX_LIFETIME=600000
#
# Optional OpenID Connect (OIDC) Properties
- ALPINE_OIDC_ENABLED=true
- ALPINE_OIDC_ISSUER=https://[account].okta.com
- ALPINE_OIDC_CLIENT_ID=[client_id]
- ALPINE_OIDC_USERNAME_CLAIM=preferred_username
- ALPINE_OIDC_TEAMS_CLAIM=groups
- ALPINE_OIDC_USER_PROVISIONING=true
- ALPINE_OIDC_TEAM_SYNCHRONIZATION=true
#
# Optional Cross-Origin Resource Sharing (CORS) Headers
- ALPINE_CORS_ENABLED=true
- ALPINE_CORS_ALLOW_ORIGIN=https://[dependencytrack_hostname]
- ALPINE_CORS_ALLOW_METHODS=GET, POST, PUT, DELETE, OPTIONS
- ALPINE_CORS_ALLOW_HEADERS=Origin, Content-Type, Authorization, X-Requested-With, Content-Length, Accept, Origin, X-Api-Key, X-Total-Count, *
- ALPINE_CORS_EXPOSE_HEADERS=Origin, Content-Type, Authorization, X-Requested-With, Content-Length, Accept, Origin, X-Api-Key, X-Total-Count
- ALPINE_CORS_ALLOW_CREDENTIALS=true
- ALPINE_CORS_MAX_AGE=3600
deploy:
resources:
limits:
memory: 12288m
reservations:
memory: 8192m
restart_policy:
condition: on-failure
ports:
- '8081:8080'
volumes:
- 'dependency-track:/data'
restart: unless-stopped
dtrack-frontend:
image: dependencytrack/frontend
network_mode: bridge
depends_on:
- dtrack-apiserver
environment:
# The base URL of the API server.
# NOTE:
# * This URL must be reachable by the browsers of your users.
# * The frontend container itself does NOT communicate with the API server directly, it just serves static files.
# * When deploying to dedicated servers, please use the external IP or domain of the API server.
- API_BASE_URL=https://[dependencytrack_hostname]:8443
- "OIDC_ISSUER=https://[account].okta.com"
- "OIDC_CLIENT_ID=[client_id]"
- "OIDC_SCOPE=openid email profile groups"
- "OIDC_LOGIN_BUTTON_TEXT=Okta SSO"
ports:
- "8080:8080"
restart: unless-stopped
Apache configs:
deptrack-frontend.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" forwarded
ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined env=!forwarded
CustomLog ${APACHE_LOG_DIR}/ssl_access.log forwarded env=forwarded
ProxyPreserveHost On
ProxyRequests On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
SSLEngine on
SSLProtocol -ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:!RC4:!DES:!3DES:+HIGH:
SSLCertificateFile [cert_path]
SSLCertificateKeyFile [cert_path]
SSLCACertificateFile [cert_path]
</VirtualHost>
</IfModule>
deptrack-api.conf
Listen 8443
<IfModule mod_ssl.c>
<VirtualHost _default_:8443>
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" forwarded
ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined env=!forwarded
CustomLog ${APACHE_LOG_DIR}/ssl_access.log forwarded env=forwarded
ProxyPreserveHost On
ProxyRequests On
ProxyPass / http://127.0.0.1:8081/
ProxyPassReverse / http://127.0.0.1:8081/
SSLEngine on
SSLProtocol -ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:!RC4:!DES:!3DES:+HIGH:
SSLCertificateFile [cert_path]
SSLCertificateKeyFile [cert_path]
SSLCACertificateFile [cert_path]
</VirtualHost>
</IfModule>
Hi @fdx0,
Wonderful, thank you very much! Everything works as expected now, SSO + provisioning. I don't know exactly what was the problem because we almost had the same configuration but I guess it was related with something in Apache.
Anyway, thank you again for sharing your configuration, that's much appreciated.
PS: I don't know who to ping but maybe this configuration should be added to the official documentation.
Have a nice day!
Kind regards,
Hi, everyone! I trying to use Okta OIDC integration with Dependency track ( But have no result :(
Can you help me, and advice - what attributes need to change and maybe if you can, give deep configuration server settings for integrating Okta Maybe anyone can share your working server configuration, where integration between Okta and DT work?
Thanks!
Hi @ElDanios,
I have the same configuration as previously shared so I'm not sure what I can give you more. :/
Any additional specific settings you want to see?
Regards,
@Nicolas-Esteves Hi, interesting to see all code from docker-compose.yml file Can you share your full docker image configuration, I will be appreciate :)
Where do I put OIDC_CLIENT_SECRET ? My organization requires both CLIENT_ID and CLIENT_SECRET.
Can someone share the actual configuration in the Okta admin panel?
Where do I put OIDC_CLIENT_SECRET ? My organization requires both CLIENT_ID and CLIENT_SECRET.
Can someone share the actual configuration in the Okta admin panel?
Nevermind, I figured I need to change the Okta app profile to Mobile app (SPA). It does not require the Secret.
We successfully configured Okta SSO using the examples from @fdx0. It helps to temporarily set LOGGING_LEVEL=DEBUG so you can see the Okta-groups that are being used for the mapping.
Thanks a lot @fdx0
