Metadata-Version: 2.4
Name: okta-saml
Version: 0.0.2
Summary: Utility to obtain saml api jwt from OKTA
Author-email: Mike Oshea <oshea00@gmail.com>
Requires-Python: >=3.11
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: requests>=2.32.3
Requires-Dist: click>=8.0
Requires-Dist: beautifulsoup4>=4.12.0
Requires-Dist: validators>=0.22.0
Dynamic: license-file

# okta-saml - Retrieve Saml-Enabled API credentials from Okta

Authenticates a user against Okta and then uses the resulting SAML assertion to retrieve temporary credentials for saml-enabled APIs.

when the command line is run with desired arguments (described below), upon successful login, the attributes in the SAML assertion will be used obtain a jwt token for the associated API and scope.

## Required OKTA Setup

Create a SAML App integration with default settings. Add attributes to the SAML definition for ClientID and ClientSecret, and the desired Scope in the Audience. These should contain the values from the client credential flow application you want to associate with your API's auth server and related Scope. Create scope in your auth server as-needed.

The embed link on your SAML app will be used for the app-link value in your ~/.okta-saml file.

Associate your users/groups in the authserver access policies as-needed - one of those must include the intermediary client credential flow app that your saml attributes refer to.

## Disclaimer
Okta is a registered trademark of Okta, Inc. and this tool has no affiliation with or sponsorship by Okta, Inc.

## Installation
- `> python3 -m pip install . --upgrade`
- Execute `okta-saml --config` and follow the steps to configure your Okta profile OR
- Configure okta-saml via the `~/.okta-saml` file with the following parameters:

```
[default]
base-url = <your_okta_org>.okta.com
app-link = <app_link_from_okta> # Found in Okta's configuration for your SAML Application link.
profile  = <saml_profile_to_store_credentials> # Sets your temporary credentials to a profile in `.saml/credentials`. Overridden by `--profile` command line flag

## The remaining parameters are optional.
## You may be prompted for them, if they're not included here.
username = <your_okta_username>
password = <your_okta_password> # Only save your password if you know what you are doing!
```

## Usage

`okta-saml --profile <saml_profile>`
- Subsequent executions will first check if the credentials are still valid and skip Okta authentication if so.
- Multiple Okta profiles are supported, but if none are specified, then `default` will be used.
- Selections for saml api are saved to the `~/.okta-saml` file. 

### Example

`okta-saml --profile default`

Optional flags:
- `--profile` or `-p` Sets your temporary credentials to a profile in `.saml/credentials`. If omitted and not configured in `~/.okta-saml`, credentials will output to console.
- `--username` or `-U` Okta username.
- `--password` or `-P` Okta password.
- `--force` or `-f` Ignores result of JWT expiration check and gets new credentials from OKTA. Used in conjunction with `--profile`.
- `--verbose` or `-v` More verbose output.
- `--debug` or `-d` Very verbose output. Useful for debugging.
- `--cache` or `-c` Cache the acquired credentials to ~/.okta-credentials.cache (only if --profile is unspecified)
- `--okta-profile` or `-o` Use a Okta profile, other than `default` in `.okta-saml`. Useful for multiple Okta tenants.
- `--config` Add/Create new Okta profile configuration.
- `--version` or `-V` Outputs version number then exits.

