{"id":28749654,"url":"https://github.com/psigen/rundeck-okta-example","last_synced_at":"2026-01-30T21:38:07.256Z","repository":{"id":280331485,"uuid":"941641794","full_name":"psigen/rundeck-okta-example","owner":"psigen","description":"Minimal example of using Rundeck Community with Okta via `nginx` and `vouch`","archived":false,"fork":false,"pushed_at":"2025-03-02T19:07:17.000Z","size":5,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-16T20:50:51.556Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Starlark","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/psigen.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-03-02T19:03:00.000Z","updated_at":"2025-03-02T19:07:21.000Z","dependencies_parsed_at":"2025-03-02T20:19:58.954Z","dependency_job_id":"fc8d78ea-7b9f-4ba2-a5b5-74f1d6b01146","html_url":"https://github.com/psigen/rundeck-okta-example","commit_stats":null,"previous_names":["psigen/rundeck-okta-example"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/psigen/rundeck-okta-example","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/psigen%2Frundeck-okta-example","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/psigen%2Frundeck-okta-example/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/psigen%2Frundeck-okta-example/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/psigen%2Frundeck-okta-example/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/psigen","download_url":"https://codeload.github.com/psigen/rundeck-okta-example/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/psigen%2Frundeck-okta-example/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28919754,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-30T20:25:28.696Z","status":"ssl_error","status_checked_at":"2026-01-30T20:25:13.426Z","response_time":66,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-16T20:44:04.187Z","updated_at":"2026-01-30T21:38:07.237Z","avatar_url":"https://github.com/psigen.png","language":"Starlark","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Rundeck\n\nThis is a working example of integrating Rundeck with Okta SSO. It uses\nvouch-proxy and nginx to create an authentication shim that passes the logged in\nuser and roles to Rundeck via its preauthenticated system.\n\n1.  In Okta, create an **OIDC** application as per\n    [this guide](#setting-up-an-okta-app).\n\n2.  Create an `.env` file with the following content:\n\n    ```bash\n    OKTA_CLIENT_ID=\u003cokta_client_id\u003e\n    OKTA_CLIENT_SECRET=\u003cokta_client_secret\u003e\n    OKTA_DOMAIN=\u003cokta_domain\u003e.okta.com\n    ```\n\n3.  Start the local server using either `docker-compose` or `tilt`:\n\n    ```bash\n    docker compose up -d\n    # -- or --\n    tilt up\n    ```\n\n## Setting up an Okta app\n\n1. Log into the Admin Console.\n\n2. Browse to `Applications` and select `Create App Integration`.\n\n3. Select `OIDC - OpenID Connect` as the **Sign-in method**, and\n   `Web Application` as the **Application type**\n\n4. On the **New Web App Integration** page:\n\n   - Fill in anything you like for the **App integration name** and **Logo**\n   - For **Sign-in redirect URIs** add a single entry of\n     `http://localhost:8080/vouch/auth`\n   - For **Sign-out redirect URIs** add a single entry of\n     `http://localhost:8080/user/login`\n   - Leave **Trusted Origins - Base URIs** blank.\n   - For **Assignments - Controlled access**, choose\n     `Skip group assignment for now`, and manually add users or groups to the\n     app later.\n   - Click `Create` to generate the app.\n\n5. On the **Applications - [App Name]** page:\n\n   - Copy the **Client Credentials - Client ID** for use in the `.env` file.\n   - Copy the **Client Secrets - Secret** for use in the `.env` file.\n   - Click on the **Sign On** tab, then click the **Settings - Sign on methods**\n     `Configure profile mapping` link.\n   - Click `[x]` to close the **[App Name] - User Profile Mappings** page.\n\n6. On the **Profile Editor** page:\n\n   - Click on the `+ Add Attibute` button.\n   - Fill in the form with the following values:\n\n     - **Data type**: `string`\n     - **Display name**: `Roles`\n     - **Variable name**: `roles`\n     - **Description**: `Roles assigned to user in Rundeck`\n     - **Enum**: `[x]` _(checked)_\n     - **Attribute Members**:\n       - **Display name**: `Admin`, **Value**: `admin`\n       - **Display name**: `Ops Admin`, **Value**: `ops_admin`\n       - **Display name**: `App Admin`, **Value**: `app_admin`\n       - **Display name**: `User`, **Value**: `user`\n     - **Attribute required**: `[x]` _checked_\n     - **Attribute type**: `Group`\n\n   - Click the `Save` button.\n\n## Errata\n\n- For some reason, when a role assignment is changed in Okta, on the next\n  signout/signin cycle, Rundeck will store _both_ the old and new roles. A\n  subsequent signout/signin cycle will only have the new role.\n\n## References\n\n- https://developer.okta.com/blog/2018/08/28/nginx-auth-request\n- https://docs.rundeck.com/docs/administration/security/authentication.html#preauthenticated-mode-using-headers\n- https://github.com/vouch/vouch-proxy?tab=readme-ov-file#vouch-proxy-in-a-path\n- https://github.com/rundeck/rundeck/issues/5656\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpsigen%2Frundeck-okta-example","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpsigen%2Frundeck-okta-example","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpsigen%2Frundeck-okta-example/lists"}