OIDC Provider Setup for Opal Actions

Opal Opal uses OpenID Connect (OIDC) to authenticate users for actions that require additional authentication, configured at the resource level. This includes requesting access, approving an access request, and/or connecting to a session.

OIDC Provider Setup

🚧

Prerequisite: You must register a new OIDC Provider with your Idp.

Use the callback URL http://{YOUR_OPAL_BASE_ URL}/callback/oidc, substituting in your Opal base URL (e.g. http://somecorp.opal.dev/callback/oidc).For more information about obtaining these credentials, refer to your IdP's documentation: Okta OIDC docsGoogle OIDC docs

When registering your OIDC provider with Opal, you must have the following information available: Client ID, Client Secret, and Issuer URL.

The OIDC provider must be configured to require MFA for every sign-in attempt. Password authentication is not required.

Example Okta OIDC Policy

Example Okta OIDC Policy

Opal Settings Configuration

  1. In Opal, go to the Settings section under Configuration in the left sidebar.
  2. Click Authentication, then find “MFA settings for gated Opal Actions”. Click Configure.
  3. Select “OIDC MFA”, and fill in the Client ID, Client Secret, and Issuer URL from your IdP.