Skip to main content
In this tutorial, you’ll configure HashiCorp Vault to authenticate users through Okta. You will:
  1. Create an Okta API token
  2. Enable and verify the Okta auth method in Vault
  3. Configure Vault with your Okta organization details
  4. Map Okta users (and groups) to Vault policies
  5. Sign in to Vault via Okta (CLI and UI)
By the end, Vault will trust Okta as an identity provider, enforcing your Vault policies based on Okta users and groups.

1. Create an Okta API Token

  1. Log in to the Okta Admin Console.
  2. Go to SecurityAPITokens.
  3. Click Create Token, give it a descriptive name (for example, Vault-Integration), and copy the generated token.
The image shows a web interface for creating an API token on Okta, with a pop-up message confirming the token creation and displaying the token value.
Treat your Okta API token like a password. Store it securely (for example, in Vault’s Cubbyhole or an environment variable).

2. Enable the Okta Auth Method in Vault

On your Vault server (shown here running in dev mode), enable the Okta auth backend: 
vault auth enable okta
vault auth list
PathTypeDescription
okta/oktaOkta authentication
token/tokenBuilt-in token provider
Sample output: 
Path    Type   Accessor
----    ----   --------
okta/   okta   auth_okta_90844582
token/  token  auth_token_0ba527c3

3. Configure the Okta Auth Method

Provide Vault with your Okta base URL, organization name, and the API token you created: 
vault write auth/okta/config \
  base_url="okta.com" \
  org_name="your-org-name" \
  api_token="00SkFU6jMj8HkcuH03AUs6zdiGzQFTOBebVbbP9K"
Verify the settings: 
vault read auth/okta/config
Expected response: 
Key                     Value
---                     -----
base_url                okta.com
org_name                your-org-name
organization            your-org-name
bypass_okta_mfa         false
token_policies          []
...
If your organization requires multi-factor authentication, set bypass_okta_mfa to false (default) to enforce it.

4. Map an Okta User to a Vault Policy

Assign an Okta user (for example, [email protected]) to a Vault policy (e.g., bryan): 
vault write auth/okta/users/[email protected] policies=bryan
Output: 
Success! Data written to: auth/okta/users/[email protected]
Resource TypeExample Command
Map Uservault write auth/okta/users/[email protected] policies=developer
Map Groupvault write auth/okta/groups/engineering policies=eng-team

5. Sign in to Vault via Okta

CLI Authentication

vault login -method=okta username="[email protected]"
You will be prompted for your Okta password and any additional MFA factors.

UI Authentication

  1. Open the Vault UI and select Okta as the login method.
  2. Enter your Okta username and password, then click Sign in.
The image shows a login page for "Vault" with fields for method, username, and password, and a "Sign in" button. The method selected is "Okta."
After signing in, view mapped users under AccessOktaUsers. You can also add or edit users:
The image shows a user interface for creating a new user in a system, with fields for name, groups, and policies, and options to save or cancel.
To map Okta groups in Vault, navigate to AccessOktaGroups, specify the group name and Vault policies, then save:
The image shows a web interface for creating a group in a Vault application, with fields for entering a name and policies, and options to save or cancel. A pop-up warning about unsaved changes is also visible.
With these steps complete, Vault is now integrated with Okta for user and group authentication. Policies defined in Vault will be enforced based on your Okta identities.

Watch Video