Login to Galaxy Using Your Organization's Okta identity
This page explains how to use this feature, for admin-specific docs, please refer to this page.
You can login to a Galaxy instance (if this feature is enabled on that instance) using your organization's Okta identity. You may use this feature if:
- you do not have a Galaxy user account, and instead of creating one, you may want to login to Galaxy using your organization's Okta login;
- you do have a Galaxy user account, and want to associate that account with your organization's Okta identity, hence you would be able to login to Galaxy either using you Galaxy username and password, or your organization's Okta credentials.
Galaxy offers two method for login: via UI, or programmatically.
Login via User Interface
In order to login to Galaxy using your organization's Okta identity, take the following steps:
-
Click on the Login or Register button:
' width='887' height='512' xlink:href='data:image/png%3bbase64%2ciVBORw0KGgoAAAANSUhEUgAAAEAAAAAlCAIAAAB9MnhgAAAACXBIWXMAAAsSAAALEgHS3X78AAAJFUlEQVRYw%2b1YiW9U5xH335BGkdKoEIjt4NsGg%2b9rfdJAABmbkDRIXCZqmqZq0hCOKBjwro9QJTiGNKSoURNFKiKItJhigjlsWHvttb3rXe/ae777fvveHj7wQefts41dDClVMSD100%2bj%2bWbmfTsz38x737cRyakl2fnlyatLE1YWxSTmv5yQ91JMVmySJj6lUEXCyuLlUanPPLskjKXPPvfiMz9bAnRFQg6YxSQWwFNxyYq9ygNVp7FJ01OVAQrCuGleNdCochUxSfnqUuAJYNaBWSjuxeeuSMgDRMcpDAgjKrbuudD8d01Z5a/f2feHvUcOVh97/4NqTXEF6CCqpNQSoNEx6WmZhQWF6wo0ZWmZmuKyjatSsxNXFRWWvZZfvFlTumVN1rpV6Wvziyvyizbnl1Rk5W1MWVOWmbdRU1yZW1ieoykvKKnMKdiUsqY0LXu9prQyW%2bHL0nJezS%2bpBGOY5hfBsxVFZVuSVhVvqKj6zW8PZGSvj19ZBPlNCgNCKlq7ddOWqrXr33xlw7by16rWbdiWvLokIjouZ9Om3LjE1UmpZbB6es6reYXlMQm5S15KezEqHbAsOvO551c8/0JUZHRKZGQCMMsjE3/%2bQuQvlqfGJRdCGmKTNVGx2cuiM2JmchkZk700Mg1Wjk0uiA2nDZL9clwuCKNicxJWFgJdGpkOBpCFFfF50fG5sFFK1pM18ItJqaUQbVRMFtirPgCAh81ZlfHL1ZmvJK4sAj9TVpcui06P0NY3Vdc06hpOHtEdr9Z%2bWl0D%2bAyEtZ%2bcUFF37OThmj9%2buL8asPdA9f6DR4DZd/CItq6xpr6ppu5zgLahSddwQuWVafhx7axWZVRhQ1NN7TwDoAozY6z7RFnnsO64ruGuDypADk4erW0EHNYeP6prBGHE6Pjk2MTk6PgE0LGJqTCU6XxM3p68Mz51B6jChCkI52DabL5k8v42EwsZ3FWNjd/rgyJUnAybhb1VbCJIhn%2bqEcHwvntBcyLFCkBnAdNZzJXPxYJLPWosHIAoB6XAMECUA5woy4Fhf3DEHxoF6vOHRCkoSAGwAd4XCCkUhHLgiQiAFSSK4Q3Gvpud3a032swDQw6n58LFlus3O1uuXL1l6Ok1W81W%2b8Cgy2Ib6jVbjH3mzu7ePrOlx2wlOYl9EgIgaa7T2PtDc8uFlpbL19rNVtuZ78%2bd%2bvrbL06dPv31N3/97m83DT1tHV2tbTd/aL548cfWC5daz5w9e665hfYFKCg2zhemChahriLuoxChKgSfDBmFRhGlgCD5/aERSQ7SHPSAAGq/HJKlUCAwHAyMSKJf4H0CL/GsyHM%2bXpRVsMLj6AGOF9s6ey5e059rvnz%2b0tXz/2z9x49tCr18/Zsz55uvtJ%2b9cFmvNw3p7d5ex0CX3dLWP6C3Wa%2bZbUaHrcM2YBi0eQi7h7C5cYTkHnUM8wKgZ%2bi2Q39es12bU1Wft6chc1dt9u66rN11wGTtrs3cCbQufYcufaf23WPf5eypz9hVm75Dm7unPnOnDlR5b9VnALOrNn7rxwdOfB8IhihWXKwAOOgBH/xe/lsNa7bXbNp7snLfn9746NSG95sq932x9nefbf7w5LZDpze815i1Uxddvh%2bYpDeq1/2%2b8fWPvnrz49OvH/yy%2bO1j69/7fOvBL9e%2b%2b%2bnS9R/sPPqX0PAwyQqLuwOcCK6k/OowJB6Sqnn7WMYOHWxFTlWdkv5dtbAzmbt0adu17zR8C9P07VqwhKyDPLeqLm2HFjYKJAlbD%2b1rOruoOzD7IvISrM1NqBhwhakbn5VYndiAC7e7CYzibB7c6sJhCgYgt7owlYcGAAYh2UXtgWlwohfFcZKmWY5iOGAomsEphqAYkmZpjocPhRcjUJzyoBADQzIc2CMYSVAsqIBBcMoLFCO9GEUywqIGAFXECT5jbz98ubp6TEaTpV1vuNlhuKHv0huM%2bq4eo8lqdyGXrlxvudredquz22wfdCHwubjUeqPbNACqa%2b0dl6%2b2t1xtu3TlRmdPP7HIAUy/SX0y7/PDIQIADC%2bGMSOBLwMBoO8C2jQs4QhVpRyzVAn/qL9l9znMhVuZnmVmwYtqkzwQ8wwe15f4qcH/A3jsAfxUQT/piJhcaExMTD5gTITxYMuJe5gFf2Xipx6ceOAKMCLuPOVjgQCmpqZ4KcDLQbg0hkZGg8GA3%2b8PBoOy7BdEMRQaFgSBoihBEEHO8TyoAoGgJMNQpj5JCoWCLCdIkgxCluPBTPSJgYCyjgRqWZGHQiFYjWE5eCwYCgWCQZ8PdBIsK4WHwPN%2bWNYfpHh59Pb4wwWAUrzZifcNoi6MwRCvbcCGod7evj6T2eJye8wmU1dXt3XA5nZ7B4dcKIYO2O36W7fMZpOlv9/QaXA4Bru7uy0Wi9vj7uk29lssRmO3fchhs9kMXV0GQxdcQREM8yLILX0HSKw2u8PpNJn74Re6jT36js6Ozk6r1dJrMgs%2byeTACU5WHftPAyAY0UMJHoKDe72X5D0kz8B1kaLcLjdBkk6nE1KIEwSCwpkJp2mGIClSkDFG5CTlgo/S8LiI0AJIKNF/e2JysUuIEaRBlIZjJmwfK8pWF4GxPsSLDDkcJEUNDg4BtVisfb19kDkUxQiSRhnR7iEhWoIVnTirAGMcKO3E2EBoBJadnJyaxtQCQxWGDSbDzIxV2J%2bFUn//AJ76JoaYUQTxohgUgB2h4TiEUOIQSmOMD0oFx1C7zeZyOqCmIfcYjrtdDo/Xi2CUm%2bSsHgoOdl6CcxFwxQ9AEcKewFbgrORESNDCOiQnOVAGoXgvBcXJuXDOicFGMRQvwe7BFKMFq5uA3XMTHCX4Hz4AKCFOdKFKPdi9FDgBheTCGfAPYzgEp802J0YyKIp6EdSDUUMeqCAW2h28QRgfxUHAvBItXMRE/%2bjYOJTQ8OhtoHIQMBwaGQME4f02PApvOeDD/5qNgGRsHIwVCZiBEJiR%2b79/HtQD0LwunCU4H3QzzookL9GCzAgywUu8FPRSAoTE0DT0MbiIMpIoBby0CDFAwljBD3cA2D2EYHk5pCy46CX0Pxtq86ldOKdj78y05tQc1Vzjuar/KoCpf19o3gth6mHGY2nip2n8C9FDj77WsfeSAAAAAElFTkSuQmCC' /%3e%3c/svg%3e)
-
Click on the Okta button:
' width='2560' height='1288' xlink:href='data:image/png%3bbase64%2ciVBORw0KGgoAAAANSUhEUgAAAEAAAAAgCAIAAAAt/%2bnTAAAACXBIWXMAAAsSAAALEgHS3X78AAADQElEQVRYw%2b1WSW/TUBDOv0GIUrqkTZOULmnI0uxJ05ZS2iTdztBe%2bAtw5oSExImfABLXIoFEhUQPXKha7HiL49ixY8dxYptx3FYgulhNVQeR0ZenkZ33Zr73vhk/Ryq7ls7mfYHFeDofSay6vNHb/dN3BnxWMOQKu7wx13hsxBMZdoW8k4nhsfDgaMh9Pz7ijtxzBuDVqDc2Nh4fcAbgyZArNDgShBBOd8QzmQQ/ld2ABG71TfQNzlgMenfI73TPOsdmRz3R/mG/49HKxmpuNb2wlV9/WtjcDkWXIbx3MnkpPBOJB%2bGHyUwhksyF48v%2b0GIiswbTfcGFVHY9HHs85Z%2bLpwvRVC6Wzk8H5iOJlcDsEvwtObcWjC5nFjeDkaXC1s7a5g5QGp9KWQw64cskMoVoMpee35gJLjiKGFHESAwjURRHUIwgS1SpbBEEQcF0nKDAgYk4ToJPnjgwokW8WMRhxHCyHYgABwKBg6IYjIdHyE8EK9GM9aAkReM4BevDUuA79M6M52sI0qZN0QiKQ4Bi0aBE00yrpWqG6QZMF%2bzUMZ/DrzNzaB1Yq9Wq12VZbpiQpLokyeaTmijB2GgoF0OWFVikkxw6PQFIt1LhBKEG4AWB5TiuyrNcFdKyuEKHh9ApAdhmhmFZlquwVZ4X2n4V9AO7C4mpqnYp7CRgSFpVz3xlJXWAWSd2ngDstCCINVFstqX8%2b75aNzsJQOFCF4YW1FCa5ymkewlcICGLWrJfQtCFygzHmOAEmuUZrmaCZgWK4RXlD2l1VxEbNaAoQk0Uau2u32zKShNGkJN8gkvzs5kAZP9pb3//%2bw8Qw5V1aF8N6Bo0n6ogCmL9vOS6uohBwXAXgm8vx/EMyzEVto0qxXBloxh4Uao3Ti4aZwJK6MpHdz1dCO4R0EYJokSSxiURfJJijjAaoyp4qQI3ovaFp2sJHItEV1QNoP4lBs3SVUK3h4AZ%2bKAivd4jXuyiLz/jb76Sb79RTVU75qbfhF2dgLnfH5Hqsw%2bHT94dvPpCPN9Ftt8flEXllF5XEzg9h4bxpdIlRZWbqtxS1RvL/VoImBzUa%2biHthLQzFHTtX%2bRgL3WI9Aj0CPQI9Aj8H8T%2bAUfsKGPdvuS/gAAAABJRU5ErkJggg==' /%3e%3c/svg%3e)
**NOTE:**If this button is not displayed, then either OIDC is not enabled on the instance of Galaxy you are using, or its Okta backend is not configured, regardless you would need to contact the admin of that Galaxy instance.</div>- Clicking on the Okta button will take you to your organization's Okta login page, where you would need to login with your organization's Okta associated credentials, such as your active directory account:
- Having completed login through your organization's Okta service, you will be redirected back to Galaxy, and you will be logged in to Galaxy with your organization's Okta identity.
Login Programmatically
You can login to Galaxy using your organization's Okta credentials by directly interacting with Galaxy's
authnzcontroller. To do so, you may take the following steps:-
Type the following address in your browser, after replacing
[Base URI]with the URI of your Galaxy instance:[Base URI]/authnz/okta/loginIn other words, send an HTTP
GETrequest to the aforementioned URI. -
In response, Galaxy returns a JSON object containing
redirect_uri, which is a URL to your organization's Okta authorization endpoint with all the information required to identifying your Galaxy instance. For instance:{ "redirect_uri": "https://organization.okta.com/o/oauth2/auth?nonce= ... &state= ... &redirect_uri=http://localhost:8080/authnz/okta/callback&prompt=consent&response_type=code&client_id= ... organization.okta.com&scope=openid+email&access_type=offline", }Copy this URI and pasted it in your browsers's address bar; or in other words, send a
GETrequest to this URL. - You would then see your organization's Okta login page, and having successfully signed in, and Okta will callback Galaxy with your authentication information, which Galaxy uses to log you in.
What happens behind-the-scenes when I login to Galaxy using my organization's Okta identity?
In nutshell, Galaxy receives basic information about you from the Okta service (e.g., email address) and some OIDC security tokens such as ID token and Access token. Galaxy stores these information, and then it automatically creates a Galaxy user with its username and email set to the information provided by Okta (if you do not have a Galaxy user account).
**Note:** Neither your _email address_ and _basic profile info_, nor the OIDC tokens that Okta sends to Galaxy, grants Galaxy with access to any other services tied to your organization's Okta identity.How to disconnect my organization's Okta account from Galaxy?
When you're logged into Galaxy using your Okta identity, visit the following page:
[Base URI]/authnz/okta/disconnectwhere
[Base URI]is the URL from which the Galaxy instance you're using is accessible. For instance:http://localhost:8080/authnz/okta/disconnectThe disconnect process will remove all your organization's Okta provided tokens from Galaxy's database, but will keep your Galaxy user account active (this user is registered automatically with your email address).
How to revoke the OIDC tokens shared with Galaxy also from your organization's Okta service?
These tokens are used to validate your identity for the first time, and re-validate when the tokens are expired. You can revoke these tokens (a complementary step to the disconnect process), which will (a) invalidate the tokens stored in Galaxy's database, and (b) will prevent Galaxy from being able to refresh expired tokens.
This is not yet supported in a self-service manner for your organization's Okta service, please contact your organization's Okta specialist if you wish to have your tokens revoked.
**Note:**Your Galaxy account is independent from your third-party identity (e.g., Okta). Therefore, regardless of disconnecting your third-party identity or revoking Galaxy's OIDC-based access to your account, your Galaxy account stays active. The only tie this account has to your third-party identity after the disconnect and access revoke, is your email address. To delete this, you need to delete your Galaxy user.
