Configuring SSO with Okta for Group Access Using Claims

Prerequisites

Ensure you have completed the end-to-end setup to log into your Tyk Dashboard via Okta. Refer to the official documentation for guidance:
OIDC with Okta

Step 1: Creating a Group

1. Navigate to Groups in Okta.
2. Create a new group named tyk-read-only.

1. Assign a user to this group.

Step 2: Configuring Claims

1. Go to Security > API in Okta.
2. Click on the Authorization Servers tab.
3. Select the appropriate Authorization Server (e.g., the default server).

1. Navigate to the Claims section.
2. Click Add Claim and configure it with the following details:

1. Click Save.

Step 3: Verifying the Token

1. Still within the Authorization Server settings, go to the Token Preview tab.
2. Preview your token to ensure the claims are applied correctly.

Step 4: Configuring Tyk TIB

Below is an example of a working Tyk TIB configuration with group mapping:

• The CustomUserGroupField  is mapped to the Okta claim group-access
• The UserGroupMapping includes the Okta group tyk-read-only and its corresponding Tyk group ID.

"DefaultUserGroupID": "675b3495421aa91def668a51",
"CustomUserGroupField": "group-access",
"UserGroupMapping": {
"tyk-read-only": "675b3474421aa91def668a50"
},
"UserGroupSeparator": "",
"SSOOnlyForRegisteredUsers": false
}

Important Notes

• If SSO login is unable to detect the correct group, ensure that the DiscoverURL in the Tyk TIB profile points to the correct Authorization Server.
• The openid and email scopes must be included in the TIB profile for authentication to work correctly. Below is an example of a properly configured UseProviders section: