Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to Configure Authentication on ALB Using Okta OIDC

3 minute read
Content level: Intermediate
0

Application Load Balancer (ALB) supports user authentication through OpenID Connect (OIDC) with external Identity Providers (IdPs). This article walks through how to configure user authentication on an ALB using Okta as your OIDC provider.

Prerequisites

  • An AWS account with an ALB deployed
  • A custom domain with DNS pointing to the ALB
  • An HTTPS listener configured on the ALB
  • An Okta account (sign up for a free 30-day trial)

Note: Okta requires a custom domain for the redirect URI. You cannot use the default ALB DNS name. Make sure your custom domain resolves to the ALB and that the HTTPS listener is configured with a valid certificate for that domain.

Step 1: Create an Okta Application

  1. Log in to the Okta Admin Console.
  2. Navigate to Applications > Applications.
  3. Click Create App Integration with the following settings:
    • Sign-in method: OIDC - OpenID Connect
    • Application type: Web Application
  4. Under General Settings:
    • App integration name: App (or your preferred name)
    • Grant type: Authorization Code
  5. Set the Sign-in redirect URI to: 
    https://<ALB_CUSTOM_DOMAIN>/oauth2/idpresponse
  6. Under Controlled access, assign access to specific users or groups that require access to the application.
  7. After creation, note the Client ID and Client Secret — you will need these when configuring the ALB listener.

Step 2: Add an Access Policy to the Authorization Server

  1. In the Okta Admin Console, go to Security > API.

  2. Select the default authorization server.

  3. Go to the Access Policies tab and click Add New Access Policy.

  4. Add a rule with the following settings (for testing purposes):

    SettingValue
    Grant typeAuthorization Code
    UserAny user assigned the app
    Scopes requestedAny scopes
    Inline hookNone (disabled)
    Access token lifetime1 Hour
    Refresh token lifetime1 Day
    Refresh token expires if not used every12 Hours

  5. Note the Okta Authorization Server DNS (e.g., trial-0000000.okta.com).

Step 3: Configure the ALB Listener

  1. Configure the HTTPS listener on your ALB with the following settings:
  • Protocol: HTTPS
  • Port: 443
  • Default action: Authenticate user
  1. Under the OIDC identity provider configuration, fill in the endpoints using your Okta Authorization Server DNS (Okta OpenID Connect & OAuth 2.0 API):
FieldValue
Issuerhttps://<OKTA_DNS>/oauth2/default
Authorization endpointhttps://<OKTA_DNS>/oauth2/default/v1/authorize
Token endpointhttps://<OKTA_DNS>/oauth2/default/v1/token
User info endpointhttps://<OKTA_DNS>/oauth2/default/v1/userinfo
Client ID(from Step 1)
Client Secret(from Step 1)

These endpoints are from the Okta default Custom Authorization Server. You can verify them by accessing the well-known configuration URL:

https://<OKTA_DNS>/oauth2/default/.well-known/openid-configuration

Reference: Okta Authorization Servers

  1. Set the Routing action to Forward to target group.

  2. For details on the ALB OIDC listener configuration fields (Issuer, AuthorizationEndpoint, TokenEndpoint, UserInfoEndpoint), see AuthenticateOidcActionConfig in the ALB API Reference.

References

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
Application Load BalancerElastic Load BalancingSecurity, Identity, & Compliance
Language
English
AWS
SUPPORT ENGINEER
published 2 months ago446 views
No comments

Relevant content