Skip to main content

How to Set Okta as Identity Provider

Table of Contents

Introduction

This basic tutorial demonstrates how to configure an application in Okta and integrate it with AI DIAL for identity and access management.

In AI DIAL, you can assign roles to Models, Applications, Addons, and Assistants to restrict the number of tokens that can be transmitted in a specific time frame. These roles and their limitations can be created in external systems and then assigned in AI DIAL's configuration.

Configuration Guidelines

Configure Okta

Note: Replace <chat_url> with the actual address of your AI DIAL Chat application.

Follow these steps to configure Okta:

  1. Create an Application: begin by creating an Application. You can refer to the official Okta documentation for detailed instructions on how to create an OIDC app integration.
  2. Configure Application Settings: under the Applications/Applications section, set the following parameters:
    • Sign-in redirect URIs: https://<chat_url>/api/auth/callback/okta
    • Sign-out redirect URIs: https://<chat_url>
    • Obtain and save Client ID and Client secrets generated for your application.
  3. Enable API Scopes: under the Applications/Okta API Scopes section, enable the following scopes:
    • okta.users.read
    • okta.users.read.self
  4. Obtain Issuer URI and JWKS URI: under Security/API section, locate the Issuer URI. You can find the jwks_uri within the Issuer URI. This URI will be used in AI DIAL Core configuration.
  5. Create Users: once the application integration is set up, create the necessary users. Refer to People to learn how to do this.
  6. (Optional) Create Groups: create the necessary Groups in Okta.
  7. (Optional) Assign People: assign users (People) to the relevant Groups.
  8. (Optional) Assign Application to Group: refer to Assign the Application to group to learn how to do this.
  9. (Optional) Configure ID Token: under the Applications/Sign On/OpenID Connect ID Token section, set Groups claim type to Filter and Groups claim filter to groups; Matches regex: .*. For more information, refer to the Okta documentation.

Configure AI DIAL

To enable AI DIAL Chat and AI DIAL Core to work with Okta, configure them with the necessary Okta-specific parameters.

AI DIAL Chat Settings

Add the following environment variables to AI DIAL Chat configuration. Refer to AI DIAL Chat for more details.

AUTH_OKTA_CLIENT_ID: "<okta_client_id>"
AUTH_OKTA_CLIENT_SECRET: "<okta_client_secret>"
AUTH_OKTA_ISSUER: "<okta_issuer>"

okta_issuer example: https://${yourOktaDomain}/oauth2/${authorizationServerId}

AI DIAL Core Settings

Add the following parameters to AI DIAL Core static settings. Refer to AI DIAL Core for more details.

aidial.identityProviders.okta.jwksUrl: "<okta_jwks_uri>"
aidial.identityProviders.okta.rolePath: "Groups"
aidial.identityProviders.okta.issuerPattern: '^https:\/\/${yourOktaAccount}\.okta\.com.*$'
aidial.identityProviders.okta.loggingKey: "sub"
aidial.identityProviders.okta.loggingSalt: "loggingSalt"

okta_jwks_uri example: https://${yourOktaDomain}/oauth2/${authorizationServerId}/v1/keys

Assignment of Roles

Once all the above steps are completed, including the ones marked as Optional, you can assign roles to Models, Applications, Addons, and Assistants.

In AI DIAL Core:

  • Static settings: as value for aidial.identityProviders.okta.rolePath provide a claim from Okta.
  • Dynamic settings: for userRoles provide a specific claim value.

In this example, okta-group-name claim value from the Groups Okta claim is configured for chat-gpt-35-turbo model:

# Dynamic settings of AI DIAL Core
"models": {
    "chat-gpt-35-turbo": {
      "type": "chat",
      "endpoint" : "http://localhost:7001/v1/openai/deployments/gpt-35-turbo/chat/completions",
      "upstreams": [
        {"endpoint": "http://localhost:7001", "key": "modelKey1"}
      ],
      "userRoles": ["okta-group-name"]
    }
}