Skip to content

Saml with Okta

This guide walks you through configuring Okta as a SAML SSO identity provider (IdP) for Ostorlab.

Prerequisites

Note: The screen shots below are using the Okta Classic UI. You can switch to it by clicking the gear icon on the upper right corner of the screen.

Creating the Okta Application

The first step is to create a new Okta Application Integration. Of the various “sign on methods” available, choose SAML 2.0.

Create Okta Application

Configuring the Application

Next you will be guided through a wizard to configure the Okta application. The first step is to give it a name—Ostorlab for example—and an icon. Create Saml Integration

The next step is to configure the SAML application’s settings.

Warning: The values you need to use are dependent upon your Ostorlab organisation prefix. Be sure to replace <organisation_prefix> with your actual organisation prefix. You can find your org’s prefix in your organisation's settings page.

SAML Setting Value
Single Sign-on URL https://api.ostorlab.co/saml/acs/?org=<organisation_prefix>
Audience URI https://api.ostorlab.co/saml/metadata/
Default Relay State Unknown (Needs to be replaced)
Name ID Format EmailAddress or Persistent
App username Email

Important: Do not change the value of Name ID Format value once your users have started using Ostorlab—not even switching its value between EmailAddress or Persistent

In addition, you can optionally provide two attribute statements so that users who sign in with their Okta credentials will have proper user names. | Attribute | Value | |--|--| | firstName | user.firstName | | lastName | user.lastName |

Configure Saml Settings

User Assignments

After the Ostorlab SAML application has been created in Okta, the next step is to assign users to it. This will grant specific users or groups access to sign into Ostorlab with their Okta-provided credentials.

To assign users or groups to the application, navigate to the Assignments tab on the application page. User Assignments.

Configuring Your Ostorlab Organisation

The final step is to configure Ostorlab with details on your new Okta-based SAML application. To do this, you need to obtain the IDP metadata document from Okta and then provide it to Ostorlab.

First, navigate to the Sign On tab on the application page and click the “View Setup Instructions” button. View Setup Instructions

Next, scroll to the bottom of the setup instructions and select the value in the large text box with the heading “Provide the following IDP metadata to your SP provider”. That’s the full SAML Identity Provider SSO descriptor, which contains all of the settings Ostorlab needs to verify a user’s identity.

With the block of XML text in your clipboard, navigate to the SAML integration section.

Select CONFIGURATION and paste the IDP metadata descriptor into the bottom card titled SAML SSO Settings. Then select Update.

Once the IDP metadata descriptor has been saved, you are all set to log into Ostorlab.

Signing into Ostorlab with Okta

Members of your Google Workspace can now sign into Ostorlab. Navigate to https://report.ostorlab.co/account/login, click LOGIN VIA SSO and enter the prefix of your Ostorlab organisation.