Implement Okta SSO at ELB for specified endpoints

[lukeheath]

Goal

User story
As a Security Engineer,
I want specified /device/ endpoints returning device data to be behind my SSO
so I know device data is secure from access outside SSO authentication.

Tasks

1

• Review Okta Access Gateway documentation Finding: The Okta access gateway requires a VM which is incompatible with our serverless model for cloud.

2

• Review https://github.com/itzg/saml-auth-proxy
• Containerized reverse proxy. Decision: Build PoC using saml-auth-proxy.

3

• Test in dogfood environment.
• Estimated early week of 9/17.
• IN PROGRESS

4

• Deploy changes to other managed environments.
• Estimated late week of 9/17.

[rfairburn]

The okta access gateway requires a VM which is incompatible with our serverless model for cloud. https://github.com/itzg/saml-auth-proxy looks to be dockerized and is compatible with Okta. I will test it and see if it will meet our needs here.

[lukeheath]

Update:

1. We've verified that saml-auth-proxy is compatible with Okta SSO.
2. Currently implementing in our dogfood environment for internal testing.

[lukeheath]

@noahtalerman Update:

This is taking slightly longer than anticipated due to infrastructure support requirements. The current status is the Terraform module is built and passes a terraform validate check. Today, we are deploying to dogfood for additional testing. We expect to be ready to deploy to production environments next week.

[noahtalerman]

@lukeheath thanks for the update. Are we still on track for deploy to production environments this week?

[lukeheath]

@noahtalerman Yes, we are still on track for a production deployment by end of this week (cc @rfairburn)

[lukeheath]

@noahtalerman Update: We are currently applying Terraform SSO updates to customer staging environment.

[noahtalerman]

Thanks for the update!

[fleet-release]

Okta gate secured, Device data cloaked in cloud, Trust in each endpoint.