Use NGINX to integrate with Okta

Hi, I’m trying to use NGINX to integrate Okta with Boundary.
Boundary is running on AWS with 1 controller, 1 worker, and ALB.
I chose to set all of them in private subnets and using a VPN to access the ALB.
Without Okta it works well.

I created an NGINX container on the controller instance which is connected to the Okta application and needs to forward me to Boundary after successful authentication.

I tried to pass basic authentication in the nginx.conf file but it’s not working:
proxy_pass http://localhost:9200;
proxy_set_header Authorization "Basic <user:password encoded> ";

I need your help to understand what I need to pass to authenticate to Boundary, I guess it has to be something related to how I authenticate in the cli (boundary authenticate).

Thank you.

Hi @danieldrey - Boundary doesn’t accept HTTP basic authentication. Boundary uses a token generation during the authentication flow to handle authN from clients.

Hi @malnick, thank you for your reply.
I tried another approach:
I used postman to send a POST request to Boundary authenticate URL with the body I saw worked for the login page in the UI. I got 200 response so it worked.
I went and tried it in the nginx configuration, it looked like this in the nginx.conf file:

proxy_method POST;
proxy_pass http://localhost:9200/v1/auth-methods/auth_method_id:authenticate;
proxy_set_body ‘{“token_type”:null,“credentials”:{“login_name”:“admin”,“password”:“password”}}’;

But I still get 500 when accessing the nginx container (which is on the controller instance).
Any idea why?

@danieldrey - is nginx handling a SAML flow to Okta? Instead of having Nginx auth with Boundary, why not have it route the connection if Okta auth is successful, then the client connecting through Nginx can do the authentication flow.

Note, I’m not in any way an expert on this Okta/Nginx integration, this is my best guess.

Thanks

1 Like

Thank you, that’s exactly what I need.
Any idea how it can be done?

If you are not familiar with nginx I would love to get answer from anyone else here :slight_smile:

OK so I was able to get authenticated in Okta but I’m still facing difficulty to make NGINX pass me through inside Boundary.

I’m trying to find a way to POST an authentication request to Boundary (after successful Okta authentication), and with the token to log in to the console without entering username and password.

The POST part is easy, but how I use the token to authenticate into the console?