Twingate Integration
This guide will show you how to setup an integration between Indent and Twingate. Once complete, you'll be able to use Twingate to grant secure on-demand server access.
Components
This page assumes you completed the Indent Quickstart. (11 min setup)
- Twingate Account and at least one Connector
- Twingate Client
- Okta Account
- AWS S3
- AWS Lambda
- GitHub Actions
This guide will show you how to setup an integration between Indent and Twingate. Once complete, you'll be able to grant access and create policies based on your existing Okta Groups.
Configuration
This guide uses GitHub Actions and Terraform to deploy an Indent + Okta. A Twingate + Okta integration will then seamlessly integrate both services. S3 will be used to store Terraform state, and AWS Lambda will run the webhook.
1. Follow the Indent + Okta Guide
- Open the Indent + Okta docs
- Follow the Configuration instructions
- Test your integration with the Using Indent + Okta Groups instructions
2. Follow the Twingate + Okta Guide
- Open the Twingate + Okta integration docs
- Follow the instructions until you reach the end of the Configure SCIM User & Group Sync page
3. Assign Resources to Twingate Groups
- In your Twingate Admin console click on an Okta Group where you would like to test ephemeral access
- If your Group is missing Resources, you likely need to setup a Twingate Connector and assign the Resource
- If your Twingate Admin console is missing Groups, you may need to re-visit the Twingate + Okta guide or upgrade your Twingate license
Using Indent + Twingate
Congrats! Your Twingate integration is ready.
Now it's time to use Indent + Twingate to get secure on-demand and ephemeral access to Resources.
- Try visiting the request page on the Indent dashboard, or create a request in Slack
- If you have the Slack integration setup, you can type
/accessor click the lightning bolt to submit a request - Your request should be for an Okta User to be granted access to the Okta Group you checked in the Assign Resources to Twingate Groups step
- If you have the Slack integration setup, you can type
- On your Petitions page you should be able to see your request as part of a petition. Try clicking the petition to view more details.
- From the petition details page, click the Review Petition button and follow the prompts
Once approved, you'll be a member of the Okta Group. You can now authenticate using your Twingate Client, and easily access Resources.
Summary
You added an Indent + Twingate integration. You're now able to request ephemeral and secure on-demand server access using Indent + Twingate. Try SSH'ing into a server, or following one of the many use cases supported by Twingate.
Questions
Where do I view the code I'm deploying?
There are direct code examples in the Indent APIs GitHub. Take a look at the code that runs in these webhooks:
Why don't I see my Twingate Resources after making a Request?
The Okta Group you're requesting access to needs to also be associated with a Resource in Twingate's Admin console.
- If your Group is missing Resources, you likely need to setup a Twingate Connector and assign the Resource
- If your Twingate Admin console is missing Groups, you may need to re-visit the Twingate + Okta guide or upgrade your Twingate license
Where can I find a list of all of the secrets?
| Name | Description |
|---|---|
| INDENT_WEBHOOK_SECRET | Get this from the Indent Webhook you created while setting up your space |
| OKTA_DOMAIN | Your Okta Domain. This is your Okta URL like example.okta.com |
| OKTA_CLIENT_ID | Your Service App's Client ID. Get this from the Okta Admin Dashboard or from the Okta API Response value you got when settting up your app |
| OKTA_PRIVATE_KEY | The private RSA key you used to create your Service App |
| OKTA_SLACK_APP_ID | Your Okta Slack App ID. Go to Okta Admin Console → Applications → Select "Slack" and copy the value from the URL, e.g. 0oabcdefghijklmnop from example-admin.okta.com/admin/apps/slack/0oabcdefghijklmnop/ |
| AWS_REGION | The AWS Region where you want to deploy the webhooks |
| AWS_ACCESS_KEY_ID | Your Programmatic AWS Access Key ID |
| AWS_SECRET_ACCESS_KEY | Your Programmatic AWS Secret Access Key |
| AWS_SESSION_TOKEN | Optional: Your AWS Session Token. Note: If you use an AWS Session ID you will need to update it for each deployment once the session expires |
How do I redeploy the webhook?
The repo you created from a template auto-deploys to AWS when you push or merge PRs to the main branch. You can manually redeploy the webhooks by re-running the latest GitHub Action job.
How do I ask for help?
If you have questions or need help with your integration, try chatting with Indent Support.