Using Okta as an Identity Provider for VPN access

Chris Dakin

If you want to use Okta as your authentication source for connecting your VPN clients through LogonBox, this article will show you how to set it up.

To do this, we will use SAML, with LogonBox being the Service Provider (SP) and Okta being the Identity Prodiver (IdP).

 

Okta configuration

Log in to your Okta admin console, expand Applications in the left menu and click on Applications.

Click Create App Integration.

 

Select SAML 2.0 and click Next.

 

Give the new app a name, such as LogonBox and optionally upload a logo and click Next.

 

For the Single sign on URL, enter https://<logonboxserver>/app/api/saml/process, replacing <logonboxserver> with the hostname of your LogonBox server.

Set the Entity ID to https://<logonboxserver> in the same way.

Set Name ID format to EmailAddress.

The rest of the settings can be left as default, scroll down and click Next.

 

Select 'I'm an Okta customer adding an internal app' and click Finish.

 

Click on View Setup Instructions.

 

Copy the Identity Provider Single Sign-On URL and the Identity Provider Issuer.

Click Download certificate to get the cert.

We can now use these three items of information to configure the LogonBox server. You can now close the Okta configuration and log off your account.

 

Finally, in the Assignments tab, click Assign to account users and/or groups who you want to grant access to this application.

 

LogonBox Configuration

Now LogonBox can be configured to use Okta for User Login or LogonBox VPN Client, or any combination.

This article will cover LogonBox VPN Client specifically, but the same steps apply for the other authentication flows.

Log on to your LogonBox server with your admin account.

We first need to install the SAML Authentication feature. Navigate to Updates, Feature & Licensing and click the Authentication tab.

Click the download icon next to SAML Authentication, click Accept, then restart the LogonBox service with the restart icon at bottom right.

 

Log back on as your admin account and navigate to Authentication Flows.

Click the Edit icon next to the LogonBox VPN Client authentication scheme.

 

On a new system this flow would currently have Username+password. Delete this module (as well as any others that might be present) with the delete icon on the module.

 

Now add the orange SAML module, then click the edit icon on the module.

 

For Entity ID, paste the Identity Provider Issuer that was copied from the Okta configuration earlier.

For Sign-in URL and Sign-out URL, paste the Identity Provider Single Sign-On URL that was copied earlier.

For Certificate, click Choose file and select the certificate file downloaded earlier.

Click Apply to save the changes.

 

Finally, click Save at the bottom of the page to save the Password Reset flow.

Your LogonBox server is now ready to authenticate to Okta.

 

Testing

Pre-requisite: You must have a user configured on your LogonBox server who has an email which matches an Okta account.

Download and install the LogonBox VPN Client, this can be done by logging a user on to the web UI and clicking the appropriate icon in the Devices section.

 

When the client is installed, launch it. Type in the address of your LogonBox VPN server and click Connect.

 

Click Next to start the authentication process.

 

You are redirected to your Okta sign in page. Enter your Okta user credentials and click Sign in.

 

You are then redirected back to LogonBox to complete the authentication.

 

Your client is now registered and connected to the VPN.