Login to Galaxy Using Your Organization's Okta identity

This page explains how to use this feature, for admin-specific docs, please refer to this page.

You can login to a Galaxy instance (if this feature is enabled on that instance) using your organization's Okta identity. You may use this feature if:

  • you do not have a Galaxy user account, and instead of creating one, you may want to login to Galaxy using your organization's Okta login;

  • you do have a Galaxy user account, and want to associate that account with your organization's Okta identity, hence you would be able to login to Galaxy either using you Galaxy username and password, or your organization's Okta credentials.

Galaxy offers two method for login: via UI, or programmatically.

Login via User Interface

In order to login to Galaxy using your organization's Okta identity, take the following steps:

  1. Click on the Login or Register button:

    image

  2. Click on the Okta button:

    image

  3. Clicking on the Okta button will take you to your organization's Okta login page, where you would need to login with your organization's Okta associated credentials, such as your active directory account:

  4. Having completed login through your organization's Okta service, you will be redirected back to Galaxy, and you will be logged in to Galaxy with your organization's Okta identity.

Login Programmatically

You can login to Galaxy using your organization's Okta credentials by directly interacting with Galaxy's authnz controller. To do so, you may take the following steps:

  1. Type the following address in your browser, after replacing [Base URI] with the URI of your Galaxy instance:

     [Base URI]/authnz/okta/login

    In other words, send an HTTP GET request to the aforementioned URI.

  2. In response, Galaxy returns a JSON object containing redirect_uri, which is a URL to your organization's Okta authorization endpoint with all the information required to identifying your Galaxy instance. For instance:

     {
        "redirect_uri": "https://organization.okta.com/o/oauth2/auth?nonce= ... &state= ... &redirect_uri=http://localhost:8080/authnz/okta/callback&prompt=consent&response_type=code&client_id= ... organization.okta.com&scope=openid+email&access_type=offline",
     }

    Copy this URI and pasted it in your browsers's address bar; or in other words, send a GET request to this URL.

  3. You would then see your organization's Okta login page, and having successfully signed in, and Okta will callback Galaxy with your authentication information, which Galaxy uses to log you in.

What happens behind-the-scenes when I login to Galaxy using my organization's Okta identity?

In nutshell, Galaxy receives basic information about you from the Okta service (e.g., email address) and some OIDC security tokens such as ID token and Access token. Galaxy stores these information, and then it automatically creates a Galaxy user with its username and email set to the information provided by Okta (if you do not have a Galaxy user account).

How to disconnect my organization's Okta account from Galaxy?

When you're logged into Galaxy using your Okta identity, visit the following page:

[Base URI]/authnz/okta/disconnect

where [Base URI] is the URL from which the Galaxy instance you're using is accessible. For instance:

http://localhost:8080/authnz/okta/disconnect

The disconnect process will remove all your organization's Okta provided tokens from Galaxy's database, but will keep your Galaxy user account active (this user is registered automatically with your email address).

How to revoke the OIDC tokens shared with Galaxy also from your organization's Okta service?

These tokens are used to validate your identity for the first time, and re-validate when the tokens are expired. You can revoke these tokens (a complementary step to the disconnect process), which will (a) invalidate the tokens stored in Galaxy's database, and (b) will prevent Galaxy from being able to refresh expired tokens.

This is not yet supported in a self-service manner for your organization's Okta service, please contact your organization's Okta specialist if you wish to have your tokens revoked.