How to use an existing Identity Provider (like Okta, Auth0) with Katanemo?
If you already have an existing login experience and identity provider (like Okta, Auth0) for your service, but want to use the remaining functionality that Katanemo offers (self-service enterprise SSO, fine-grained authorization, safety policies for your API paths and methods, etc.) you can easily use your existing identity pool to work with Katanemo. Your Idp (identity provider) must support JSON Web Tokens (JWTs) for the integration to work effortlessly.
The following steps enable you to bring your own Idp to Katanemo.
- When you create a new Service, simply provide the
https://{yourDomain}/.well-known/jwks.json
endpoint. Katanemo will use this endpoint to validate JWT tokens generated by your IDP. In addition, you must supply the sign in URL and log out URL links for your service. - Next, you must create an organization for each customer via Katanemo's POST:/org API. This API takes a list of sub (usernames) that will be given admin privileges to operate on resources and APIs in Katanemo. The POST:/org API also allows you to map assertions (upstream JWT claims) to roles so that users are bound to their respective fine-grained permissions and scopes.
- Lastly, you will need to call the
/token
endpoint and exchange the Idp token with Katanemo’s token, so that a user's token contains the right scopes and roles that will be used for authorization. The new token will contain all custom claims in the upstream token, with additional claims under the Katanemo_metadata claims section of the token.
Do I need to manage multiple access tokens if I integrate with Katanemo?
Note: you can continue using your upstream Idp APIs and SDKs to manage the login experience for your application but must exchange that token with Katanemo organization so that all remaining API operations can be protected by Katanemo’s authorizer.
Note: Once an organization sets up SSO via Katanemo, you can simply use the GET:/defaultConnection API which returns an SSO link for a particular organization domain. This API is an unauthenticated API which you can use to redirect users to their appropriate upstream IDp for login.