Am Wed, Nov 09, 2022 at 08:09:16PM -0000 schrieb Russ Long via FreeIPA-users: > Hello, > > I am working on a test environment to test the integration of Okta as an > external IDP. According to the docs, this is supported, however there is no > okta-specific documentation that I can find.
Hi, which version of SSSD are you using, there are some fixes which are affecting Okta as well added recently, see e.g. https://bugzilla.redhat.com/show_bug.cgi?id=2111388. bye, Sumit > > I have okta configured as follows: > > [root@ipa-primary ~]# ipa idp-show okta > Identity Provider server name: okta > Authorization URI: https://ORGNAME.okta.com/oauth2/v1/authorize > Device authorization URI: > https://ORGNAME.okta.com/oauth2/v1/device/authorize > Token URI: https://ORGNAME.okta.com/oauth2/v1/token > User info URI: https://ORGNAME.okta.com/oauth2/v1/userinfo > Client identifier: CLIENTID > Scope: openid email > External IdP user identifier attribute: email > > I also have the Secret configured, as the Okta side is configured to require > the secret. > > When I attempt to perform a login operation using a user configured for this > external IDP, I get the following errors (partially redacted for brevity and > security): > > Nov 09 14:58:43 ipa-primary.ipa.DOMAIN.COM oidc_child[5749]: libcurl: > POST > /oauth2/v1/device/authorize HTTP/2 > > Host: ORGNAME.okta.com > > user-agent: SSSD oidc_child/0.0 > > accept: application/json > > content-length: 49 > > content-type: application/x-www-form-urlencoded > > Nov 09 14:58:43 ipa-primary.ipa.DOMAIN.COM oidc_child[5749]: > {"error":"invalid_client","error_description":"Client authentication failed. > Either the client or the client credentials are invalid."} > > Is there any Okta-specific documentation I can reference, or does anyone know > where my configuration issue may be? > > Thanks, > Russ > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
