From the Okta website
Okta is the foundation for secure connections between people and technology. It’s a service that gives employees, customers, and partners secure access to the tools they need to do their most important work.
In practice - Okta is an Identity and Single Sign On solution for applications and Cloud entities. It allows GitLab to consolidate authentication and authorisation to applications we use daily through a single dashboard and ensure a consistent, secure and auditable login experience for all our GitLab team members.
GitLab is using Okta for a few key goals:
All GitLab team-members will have an Okta account set up as part of their onboarding process. You should already have an activation email in both your Gmail and Personal Accounts. For efficiency, please follow the onboarding process for setting up Okta and set up 1Password first and follow that up with Okta. Please also set up Okta from your computer rather than your mobile or the mobile app, as you will be guided to set up the mobile app as part of the onboarding process.
GitLab requires all team members to use either Biometrics or YubiKey as your Okta authentication
Using WebAuthn authentication is required for all team members.
Touch ID on Mac currently requires Chrome or Safari. The latest version of macOS (Ventura) works better with Touch ID/YubiKeys. There is a known issue with Firefox preventing it from working with Touch ID. YubiKeys can be used with all browsers.
Set up anothernext to
Security Key or Biometric.
Set up another, followed by an
Enroll, a prompt from your web browser will appear.
For Touch ID or Face ID, choose
This Device. For a YubiKey, choose
USB security key.
For Touch ID or Face ID, another prompt will appear asking you to authenticate using Touch ID or Face ID.
For Security Key, relevant prompts will appear.
You may be prompted for a PIN, and then finally click
Follow the GitLab Okta FAQ.
We have also prepared Introductory Videos on Setting up MFA/YubiKeys, Configuring Applications and Dashboard Tips.
These steps are for an iPhone, and may be slightly different for Android. If you are using an iPhone and receive a Developer or XCODE error, please upgrade to iOS 16+. We recommend enrolling a phone even if you don't plan to use it often, in case you need a way to add a new computer or your credential gets accidentally removed on the computer.
chrome://settings/help- if a new version is available, please use the
Relaunchbutton to restart the browser.
On your Mac, please check under "System Settings"->"Privacy & Security"->"Bluetooth" and make sure that Google Chrome has Bluetooth access enabled.
Then, choose "A different device".
This should display a QR code that you can scan.
your name->iCloud and make sure that Passwords and Keychain is set to "On".
This method has been verified on Macs and Linux with Chrome. For Safari, it requires macOS Ventura 13+. Steps below for iPhone require iOS 16+, may be slightly different for Android.
If both of previous devices are not available, you could use a YubiKey as another form of authentication (if you have one set one up). Use that to access your settings page and follow the steps above to enroll a new device.
Please fill open up the Slack form using /yubikey in a DM to yourself, (check out our guide for some additional information), and we will coordinate shipment of one to you thru our group buy.
#it_helpin Slack or email
firstname.lastname@example.org ask for a 2FA Reset, please be prepared to verify your identity
#it_helpand ask to have your account unlocked. As a precaution, you will also need to change your Okta Password.
Okta Device Trust ensures that team members are acccessing Okta applications from a managed device. For additional details and timelines, please see the internal handbook.
Open the Okta Verify application on macOS via Spotlight by selecting the magnifying glass in the menu bar (top right corner of display). Another method to open Spotlight is to use
cmd + Space
gitlab.okta.com is populated for Sign-in URL and then select
A browser window will open to gitlab.okta.com to confirm your identity
After doing so, you will see the
Your Identity is Verified message and you can close the browser
The Okta Verify application will refresh. Press
Next if you are using Touch ID on your Mac (most common), or
Skip if you are not. Okta Verify uses macOS's Touch ID capability, and the mathematical calculation is stored locally within Apple's Secure Enclave and not available to Okta or GitLab.
If you pressed
Next, then click
Enable Touch ID
Your GitLab Okta account will now be available to use with Okta Verify on macOS
You will continue to be able to use a YubiKey in addition to Touch ID to login to Okta from macOS device. You will not be able to login from a personal macOS device.
A macOS device missing the certificate (even when enrolled with Okta Verify), will quickly show:
Then re-direct to the following error:
The GitLab Team Member Enablement team has created a new process for Owners and Provisioners to manage access to Okta applications. If you are listed as an Owner/Provisioner for an application in the tech stack you will be using the method below to add users to a Google group, which will then sync this group to Okta and assign the application to users. This process was created to empower business application owners to effect Access Requests which require Okta application assignment.
Next press the
People tab on the left side and select
Add Membersbutton. To remove access mouse over a user and press on the little white box that appears, this will mark the user. After that on the right side press the remove member button (Looks like a circle with a horizontal line across).
When a member is added/removed from the group it may take up to 1 hour for the sync to happen between Google and Okta. Once the sync happens the user will see the application in Okta, if removed the opposite. If you have any questions or require assistance please reach out to the IT team in the #it-help Slack channel.
Create a new application setup issue and fill in as much information as you can.
Okta is currently configured with assigned groups/roles based on a team member's role/group. Refer to the Access Change Request section of the handbook for additional information on why an application may not be available in Okta.
If you are an application owner please submit a new application setup issue on the Okta project page for your application. We will work with you to verify details and provide setup instructions.
Yes you can! Submit a new application setup issue on the Okta project page for your application. We will work with you to verify details and provide setup instructions.
If you are having problems with being asked for multiple MFA authentications during the day, please log an issue and we can look into it.
Your gitlab.com account will have 2FA installed as required by our policy. Note that the 2FA for GitLab.com is different to the MFA you use to log into Okta. This issue has been opened to propose a solution.
When attempting to add a Google Workspace account to an Android device, Okta authentication proceeds in the Android's embedded browser (WebView).
Since Okta does not support embedded web browsers for WebAuthn based verification, which causes an issue where nothing prompts you after you sign-in to Okta, so you cannot add the Google Workspace account to Android devices.
Please reach out to
#it_help Slack channel to request temporary enable Okta Verify as a workaround.