How to Set Okta as Identity Provider
Table of Contents
Introduction
This basic tutorial demonstrates how to configure an application in Okta and integrate it with AI DIAL for identity and access management.
In AI DIAL, you can assign roles to Models, Applications, Addons, and Assistants to restrict the number of tokens that can be transmitted in a specific time frame. These roles and their limitations can be created in external systems and then assigned in AI DIAL's configuration.
Configuration Guidelines
Configure Okta
Note: Replace
<chat_url>
with the actual address of your AI DIAL Chat application.
Follow these steps to configure Okta:
- Create an Application: begin by creating an Application. You can refer to the official Okta documentation for detailed instructions on how to create an OIDC app integration.
- Configure Application Settings: under the Applications/Applications section, set the following parameters:
- Sign-in redirect URIs:
https://<chat_url>/api/auth/callback/okta
- Sign-out redirect URIs:
https://<chat_url>
- Obtain and save Client ID and Client secrets generated for your application.
- Sign-in redirect URIs:
- Enable API Scopes: under the Applications/Okta API Scopes section, enable the following scopes:
- okta.users.read
- okta.users.read.self
- Obtain Issuer URI and JWKS URI: under Security/API section, locate the Issuer URI. You can find the jwks_uri within the Issuer URI. This URI will be used in AI DIAL Core configuration.
- Create Users: once the application integration is set up, create the necessary users. Refer to People to learn how to do this.
- (Optional) Create Groups: create the necessary Groups in Okta.
- (Optional) Assign People: assign users (People) to the relevant Groups.
- (Optional) Assign Application to Group: refer to Assign the Application to group to learn how to do this.
- (Optional) Configure ID Token: under the Applications/Sign On/OpenID Connect ID Token section, set Groups claim type to
Filter
and Groups claim filter togroups; Matches regex: .*
. For more information, refer to the Okta documentation.
Configure AI DIAL
To enable AI DIAL Chat and AI DIAL Core to work with Okta, configure them with the necessary Okta-specific parameters.
AI DIAL Chat Settings
Add the following environment variables to AI DIAL Chat configuration. Refer to AI DIAL Chat for more details.
AUTH_OKTA_CLIENT_ID: "<okta_client_id>"
AUTH_OKTA_CLIENT_SECRET: "<okta_client_secret>"
AUTH_OKTA_ISSUER: "<okta_issuer>"
okta_issuer
example:https://${yourOktaDomain}/oauth2/${authorizationServerId}
AI DIAL Core Settings
Add the following parameters to AI DIAL Core static settings. Refer to AI DIAL Core for more details.
aidial.identityProviders.okta.jwksUrl: "<okta_jwks_uri>"
aidial.identityProviders.okta.rolePath: "Groups"
aidial.identityProviders.okta.issuerPattern: '^https:\/\/${yourOktaAccount}\.okta\.com.*$'
aidial.identityProviders.okta.loggingKey: "sub"
aidial.identityProviders.okta.loggingSalt: "loggingSalt"
okta_jwks_uri
example:https://${yourOktaDomain}/oauth2/${authorizationServerId}/v1/keys
Assignment of Roles
Once all the above steps are completed, including the ones marked as Optional, you can assign roles to Models, Applications, Addons, and Assistants.
In AI DIAL Core:
- Static settings: as value for
aidial.identityProviders.okta.rolePath
provide a claim from Okta. - Dynamic settings: for
userRoles
provide a specific claim value.
In this example, okta-group-name
claim value from the Groups
Okta claim is configured for chat-gpt-35-turbo
model:
# Dynamic settings of AI DIAL Core
"models": {
"chat-gpt-35-turbo": {
"type": "chat",
"endpoint" : "http://localhost:7001/v1/openai/deployments/gpt-35-turbo/chat/completions",
"upstreams": [
{"endpoint": "http://localhost:7001", "key": "modelKey1"}
],
"userRoles": ["okta-group-name"]
}
}