From the Okta website
Okta is the foundation for secure connections between people and technology. It’s a service that gives employees, customers, and partners secure access to the tools they need to do their most important work.
In practice - Okta is an Identity and Single Sign On solution for applications and Cloud entities. It allows GitLab to consolidate authentication and authorisation to applications we use daily through a single dashboard and ensure a consistent, secure and auditable login experience for all our GitLab team members.
GitLab is using Okta for a few key goals :
All GitLab team-members will have an Okta account set up as part of their onboarding process. You should already have an activation email in both your Gmail and Personal Accounts. For efficiency, please follow the onboarding process for setting up Okta and set up 1Password first and follow that up with Okta. Please also set up Okta from your computer rather than your mobile or the mobile app, as you will be guided to set up the mobile app as part of the onboarding process.
Follow the GitLab Okta Getting Started Guide and FAQs.
We have also prepared Introductory Videos on Okta Setup, Setting up MFA/Yubikeys, Configuring Applications and Dashboard Tips.
We recommend particularly that once your account is set up, you set up an additional MFA factor (either YubiKey or Google Authenticator/TOTP) in case there's an issue with one of your MFA factors.
Our Okta implementation defaults to using Okta Verify as the Required MFA factor. Okta Verify is a safe and secure application that allows push notifications and one-time tokencodes on your phone to validate your login. It is supported on iPhone, Android and Windows Phones.
For some people, there are issues with installing a verification app on their phone. If there is some reason that this is not appropriate for your geography or other reasons, please submit an issue to Opt Out and we can add you to an authentication group that will make Okta Verify optional. Please note that we still recommend that you set up at least two MFA factors, in case something happens to one of your factors.
There is a "need help signing in?" button on the login screen. If you expand this there is a link to an automated password reset process via email. You will need to know the answers to your security question(s) to use this.
We recommend that you store your Okta password in 1Password as well as your Security Questions there. Please review the 1Password Guidelines for best ways to use Okta and 1Password together.
Firstly, review the 1Password Guidelines.
Then head to #it_help in Slack and ask for a temporary password to be issued.
You will be issued a temporary password at which point you can reset your access.
No worries! You can easily reset your own MFA code for Okta if you did not wipe/return your old phone yet.
Firstly, sign into your Okta webpage by going to gitlab.okta.com use your email, password, and the MFA code on your old phone.
Once you're on the Okta webpage click on your name and then click settings.
While on the Okta settings page, click the green "Edit Profile" button to edit the page contents.
Scroll down until you see "Extra Verification", once you're there click "remove" to disable that specific MFA and then click setup to configure the new MFA code on your new phone.
If you wiped and returned your old mobile device you could use a Yubikey as another form of authentication (if you have one set one up). Use that to access your settings page and follow the steps above to reset your Okta MFA.
Lost all your MFA Factors?
Head to #it_help in Slack and ask for a MFA Reset.
Once your Factors have been reset, please set up at least two MFA factors (Yubikey or Google Authenticator, see this video).
The Gitlab Team Member Enablement team has created a new process for Owners and Provisioners to manage access to Okta applications. If you are listed as an Owner/Provisioner for an application in the tech stack you will be using the method below to add users to a Google group, which will then sync this group to Okta and assign the application to users. This process was created to empower business application owners to effect Access Requests which require Okta application assignment.
Next press the People tab on the left side and select Members.
Add Members button. To remove access mouse over a user and press on the little white box that appears, this will mark the user. After that on the right side press the remove member button (Looks like a circle with a horizontal line across).When a member is added/removed from the group it may take up to 1 hour for the sync to happen between Google and Okta. Once the sync happens the user will see the application in Okta, if removed the opposite. If you have any questions or require assistance please reach out to the IT team in the #it-help Slack channel.
Head to #it_help and ask to have your account unlocked.
As a precaution, you will also need to change your Okta Password.
Create a new application setup issue and fill in as much information as you can.
Okta is currently configured with assigned groups/roles based on a team member's role/group. Refer to the Access Removal Request section of the handbook for additional information on why an application may not be available in Okta.
If you are an application owner please submit a new application setup issue on the Okta project page for your application. We will work with you to verify details and provide setup instructions.
Yes you can! Submit a new application setup issue on the Okta project page for your application. We will work with you to verify details and provide setup instructions.
The way we have Okta setup should require you to authenticate once with MFA when you start your working day, and that session should last for the rest of your work day. It's recommended that you login via the Okta Dashboard at the beginning of your day, and then use either the dashboard or the Okta plugin for applications during your work day.
For some applications, we enforce an additional MFA step periodically because of the sensitivity of the data in them. We are also trialling a risk-based authentication algorithm that may ask you to re-authenticate if anomalous behaviour is detected on your account or Okta detects an unusual login pattern. At this stage, BambooHR and Greenhouse require an additional authentication step.
If you are having problems with being asked for multiple MFA authentications during the day, please log an issue and we can look into it.
Your gitlab.com account will have 2FA installed as required by our policy. Note that the 2FA for GitLab.com is different to the MFA you use to log into Okta. This issue has been opened to propose a solution.
#it_help slack channel