Okta Integration

Okta IDP integration with A10 Control enables secure Single Sign-On (SSO) and supports Role-Based Access Control (RBAC). This allows user attributes and group memberships from Okta to be mapped to A10 Control roles. The integration is based on the OpenID Connect (OIDC) protocol.

In addition to SSO, the integration supports Multi-Factor Authentication (MFA) through Okta’s native MFA policies. When enabled, users are prompted to verify their identity using a second factor (such as Okta Verify, SMS, or TOTP) during login.

Only Organization Admins have permission to integrate Okta with A10 Control.

Register A10 Control as an Application in Okta

1. Log in to your Okta Admin Console (https://<your-okta-domain>.okta.com/admin).
2. From the Okta home page, click the Hamburger menu and navigate to the Applications > Applications > Create App Integration.

3. On the Create a new app integration page, configure the following:

   Field	Value
   Sign-in method	OIDC - OpenID Connect This enables Single Sign-On (SSO) through the API.
   Application type	Web Application

4. Click Next.

5. On the New Web App Integration page, select or enter the following:

   Field	Value
   General Settings
   App integration name	Name for your application. Example: A10 Control-OIDC
   Grant type	Client acting on behalf of itself → Client Credentials NOTE: The Client Credentials grant type is not required for user authentication through IDP. However, A10 Control uses this flow internally to validate the configuration details entered by users in the UI. Client acting on behalf of a user (default) → Authorization Code
   Sign-in redirect URIs	A10 Control keycloak OpenID endpoint. For example: https://<IP_address>/keycloak/realms/<Organization_name>/broker/Okta/endpoint
   Sign-out redirect URIs	A10 Control keycloak OpenID logout endpoint. For example: https://<IP_address>/keycloak/realms/<Organization_name>/broker/Okta/endpoint/logout_response
   Assignments
   Controlled access	Allow everyone in your organization to access (default).
   Enable immediate access	Enable immediate access with Federation Broker Mode

6. Click Save.

   The A10 Control-OIDC application is registered in Okta.

Get Required Credentials

1. From the Okta home page, click the Hamburger menu and navigate to the Applications > Applications and click A10 Control-OIDC app.

2. On the A10 Control-OIDC app page, click General tab and note down:

   Field	Description
   Client ID	This value is used as the App Key when configuring Okta as an IDP in A10 Control.
   Client Secret	This value is used as the Client Secret when configuring Okta as an IDP in A10 Control.

Configure Okta for A10 Control Integration

After registering A10 Control, you must perform the following configuration steps in Okta:

1. Add Users and Groups.

   1. Navigate to Directory → People page to add users, see Add User.
   2. Navigate to Directory → Groups page to create group, see Add Group.
   3. Assign a user to a group in Groups page, see Assign a User to a Group.

2. Configure Authorization Server and Claims.

   1. Navigate to Security → API → Authorization Servers, select the default or your configured authorization server.

   2. On the Settings tab of the selected authorization server, note the Issuer Metadata URI.

      This value is used as the IDP URL when configuring Okta as an IDP in A10 Control.

   3. Click Scopes tab > Add Scope to create a custom scope for A10 Control, see Add a Scope, with the following values:

      Field	Value
      Name/Display phrase	okta.myAccount.read
      Description	A10 Control validation
      User consent	Implicit
      Metadata	Include in public metadata

      NOTE:

      This scope is used by A10 Control for Client Credentials Flow verification.

   4. Click Claims tab > Add Claim to add:

      • Group Claim for standard A10 Control authorization, see Add custom Group Claim, with the following values:

        Field	Value
        Name	groups (exact match) The claim name must be exactly groups, as A10 Control uses this key to retrieve group information from the ID Token.
        Include in token type	ID Token → Always
        Value type	Groups
        Filter	Matches regex → okta.* The filter can be customized to your organizational structure.
        Include in	Any scope

        NOTE:

        This claim is required by A10 Control to retrieve group membership for access mapping.

      • AMR Claim for Multi-Factor Authentication (MFA) A10 Control authorization, see Add custom Group Claim, with the following values:

        Field	Value
        Name	amr (exact match)
        Include in token type	ID Token → Access Token
        Value type	applicable
        Always include in token	✓

        NOTE:

        This enables Keycloak (A10 Control's backend IDP engine) to detect MFA via the amr claim.

        For additional Okta-side MFA configuration, see Configure MFA for Okta users.

   5. Click Access Policies tab > Add New Access Policy to add a new access policy for A10 Control:

      • Assign the policy to the Okta groups created to access A10 Control application, see Create access policies and Create rules for each access policy.
      • Click Add rule to define rules for allowing okta.myAccount.read scope.

      NOTE:

      Without an access policy, A10 Control authentication requests will be blocked.

   6. Click Token Preview to test all the configuration for authorization server and preview the resulting token, see Test your authorization server configuration.

Configure MFA for Okta users

While A10 Control does not enforce MFA directly, it supports federated MFA using Okta.

To configure MFA in Okta:

1. Navigate to Security → Multifactor → Factor Types to enable required MFA factors (e.g., Okta Verify, SMS, Email, TOTP), see Multifactor Authentication.

2. Navigate to Security → Multifactor → Enrollment to specify when MFA is required, see Define MFA Enrollment Policy.

3. Navigate to Security → Authentication Policies to either modify the default policy or create a new one, see Set MFA in Authentication Policy.

   1. Add/modify rule to Require any 2 factors in the policy.
   2. Assign the policy to your A10 Control app.

Create Okta Access Groups in A10 Control

To create Okta access groups in A10 Control, see Manage Access Group. Ensure that the A10 Control access group name exactly matches the corresponding Okta group name (case-sensitive).

Map Okta Access Groups to IDP User groups in A10 Control

To map Okta access groups to IDP user groups in A10 Control, see Manage IDP Groups.

Add Okta as an IDP in A10 Control

To add Okta as an IDP in A10 Control, see Manage User Auth.

Verify and Test Okta Integration

1. Ask a Okta user to log in to A10 Control portal with correct credentials.

2. Verify that the user is redirected to the Okta login page for authentication.

3. If MFA is enabled, confirm that a second-factor challenge is presented.
4. After successful login, verify the user is assigned the correct role on the A10 Control home page > Profile icon > User Profile or check that the user appears under A10 Control home page > Organization > Users > Users tab with the External User column marked as Yes.