Okta SSO (OpenID Connect)
To secure access to ngrok with Okta Single Sign-On using OpenID Connect:
This article details how to configure Okta as the primary Identity Provider for ngrok tunnels. By integrating Okta SSO with ngrok, you can:
- Restrict access to ngrok tunnels only to users authenticated via Okta
- Use Okta security policies, MFA authenticators — including Okta Verify, FastPass, and FIDO2 — and ThreatInsights to control access to ngrok tunnels.
- Use Okta's Dashboard to facilitate access to ngrok apps.
Supported Features
The ngrok integration with Okta supports:
- SP-Initiated SSO: In this mode, users access ngrok edges and tunnels and are redirected to Okta for authentication.
Requirements
To configure ngrok tunnels with Okta, you must have:
- an Okta account with administrative rights to create apps
- an ngrok Enterprise Account with an authtoken or admin access to configure edges with OpenID Connect.
Configuration Steps
To integrate ngrok with Okta SSO, you will need to:
- Configure Okta with the ngrok app
- Configure ngrok with the SSO settings provided by Okta
Step 1: Configure Okta
Add the ngrok App in Okta
- Access your Okta Dashboard as an administrator and then click Admin.
- Click Application > Applications .
- Click Browse App Catalog,
- Search for ngrok, and then click Add.
- Enter the Application label — this is the app name that will be displayed in the okta dashboard for end users — and click Next.
- Select OpenID Connect, and then enter the following:
- Sign-in redirect URI: https://idp.ngrok.com/oauth2/callback
- Login initiated by: Login initiated by app
- Click Done.
- Under the Sign On tab of the ngrok application, copy the Client ID and Client Secret. These values will be used at ngrok to complete the configuration.
Grant access to Okta people and groups
Okta allows administrators to restrict access to SSO apps — such as ngrok — via assignments. By default, apps created in Okta have no assignments — in other words, nobody can use Okta SSO to access ngrok until you assign them to the app. To assign Okta users and groups to the ngrok app:
- Click Application > Applications .
- Search for and click the ngrok app.
- Click Assignments.
- Use the Assign button to associate groups and users with the ngrok app. To test the SSO with ngrok, make sure you're assigned to the app.
Step 2: Configure ngrok
ngrok can leverage Okta SSO in two ways:
- From the ngrok CLI (using the
--oidc
parameter) - From the ngrok dashboard
Option 1: ngrok CLI
Note: For this tutorial, we assume you have an app running locally (i.e., on localhost:3000) with the ngrok client installed.
Launch a terminal
Enter the following command to launch an ngrok tunnel with Okta SSO. Replace
<okta_url>
with your okta org address (i.e., https://acme.okta.com) and the<okta_client_id>
and<okta_client_secret>
with the respective values copied from the ngrok app registered at Okta. Optionally, add the--domain <domain>
argument to get your own custom URL, replacing<domain>
with your URL of preference:ngrok http 3000 --oidc=<okta_url> \
--oidc-client-id=<okta_client_id> \
--oidc-client-secret=<okta_client_secret> \
--domain=<domain>Copy the url available next to Forwarding (for example,
https://okta-sso-test.ngrok.dev
).Skip to Step 3
Option 2: ngrok Edge
To configure an edge with Okta:
Go to dashboard.ngrok.com.
Click Cloud Edge > Edges
If you don't have an edge already set to add Okta SSO, create a test edge:
- Click New Edge
- Click HTTPS Edge
- Click the pencil icon next to "no description". Enter Edge with Okta SSO as the edge name and click Save.
On the edge settings, click OIDC.
Click Begin setup and enter the following:
- Issuer URL: Your okta tenant url (i.e. https://acme.oktapreview.com).
- Client ID: The client id copied from Okta
- Client Secret: The client secret copied from Okta
Click Save.
Launch a tunnel connected to your Okta edge:
For this step, we assume you have an app running locally (i.e. on localhost:3000) with the ngrok client installed.
Click Start a tunnel.
Click the copy icon next to the tunnel command.
Launch a tunnel:
- Launch a terminal
- Paste the command. Replace http://localhost:80 with your local web app addess (i.e., http://localhost:3000)
- hit Enter. an ngrok tunnel associated to your edge configuration will launch.
To confirm that the tunnel is connected to your edge:
- Return to the ngrok dashboard
- Close the Start a tunnel and the Tunnel group tabs
- Refresh the test edge page. Under traffic, You will see the message You have 1 tunnel online. Start additional tunnels to begin load balancing
In the test edge, copy the endpoint URL. (you will use this url to test the Okta Authentication)
Step 3: Test the integration
- In your browser, launch an incognito window.
- Access your ngrok tunnel (i.e., https://okta-sso-test.ngrok.io or using a copied URL).
- You should be prompted to log in with your Okta credentials.
- After logging in, you should be able to see your web app.