KB Article #182451
RESTAPI: Authenticating with OKTA SSO and executing API queries for Administrators
Problem
When Admin UI is set to require SSO authentication, you must either use the local IdP to revert back to local administrators or you can authenticate with OKTA IdP following the below instructions. Similar approach can be used with other IdP providers as long as you are able to authenticate with them with cURL.
Resolution
You will need the OKTA domain and embedded link. For example, those can be obtained from the OKTA Metadata file or by reviewing the Form authentication URL.
The article covers UNIX-like shell command-line interface. This article uses jq
and you must install it before any actions below. Refer to your OS administrator for further instructions on how to install the jq
library.
You can also download the attached script okta-api.sh
and edit the pre-set variables. This will create the okta-cookie which can be used for step 5/6 directly.
1. Authenticate with OKTA and obtain a Session Token:
sessionToken=$(curl -s -X POST -H "Accept: application/json" -H "Content-Type: application/json" -H "User-Agent: Mozilla/5.0" -d '{ "username": "'ADMIN_USER'", "password": "'ADMIN_PASS'", "options": { "multiOptionalFactorEnroll": false, "warnBeforePasswordExpired": false } }' "https://OKTA_DOMAIN/api/v1/authn" | jq '.sessionToken' -r)
2. Check if the authentication is successful:
curl -s -X GET "https://OKTA_DOMAIN/login/sessionCookieRedirect?token=${sessionToken}&redirectUrl=https://ST_HOSTNAME_OR_IP:ST_ADMIN_PORT" -c "okta-cookie"
3. Obtain SAML Response to be passed against SecureTransport Admin UI:
SAMLResponse=$(curl -s -X GET "${OKTA_EMBEDDED_LINK}" -b "okta-cookie"|grep SAMLResponse|awk -F '"' '{print $6}'|sed 's/+/%2B/g;s/=/%3D/g;')
4. Relay the SAML Response to SecureTransport and authenticate:
curl -s -k -X POST "https://ST_HOSTNAME_OR_IP:ST_ADMIN_PORT/saml2/sso/post/j_security_check" -d "SAMLResponse=${SAMLResponse}&RelayState=" -c okta-cookie
5. Execute an example API call to SecureTransport:
curl -k -X POST "https://ST_HOSTNAME_OR_IP:ST_ADMIN_PORT/api/v2.0/myself" -b okta-cookie -H 'Referer: -'
6. You can further use the 'okta-cookie' cookie jar to further execute API requests until it expires or you log out.