Okta SAML integration
To enable Imply Hybrid (formerly Imply Cloud) Auth for your organization, contact your Imply account representative.
This article describes how to configure Imply Hybrid to use Okta as an external identity provider with SAML.
Configuring Okta OpenID Connect (OIDC) identity provider
The general flow for configuring an Okta OIDC identity provider is as follows:
Authentication
The following steps ensure that your users can login to Imply with Okta:
- Set up the Imply application in Okta for Imply.
- Export the identity provider metadata document. The document includes the issuer's name, expiration, and keys to validate responses from the identity provider.
- Import the configuration into the Imply Hybrid Auth.
Authorization
The following steps ensure that your users are authorized to access certain assets in Imply:
- Create groups (if not already present) in Okta to reflect usage in Imply.
- Create composite roles in Imply that will map to the groups created in Step 1.
- Create mappers in Imply to associate groups to composite roles.
Before starting, make sure you are logged in as an administrator to both the Imply Hybrid and Okta consoles. Setting up an identity provider in the Imply Hybrid Auth console requires User Manager role permissions.
Step 1: Add the identity provider in the console
- Log in to the Imply user management console.
- Click Identity Providers from the left menu.
- Open the Add provider menu, and choose SAML.
- For the Alias, enter a unique alias for this identity provider. Notice that the alias appears in the Redirect URI path, which you will use in the next step to add an application for Imply in Okta.
- Optionally, choose the first login flow and post login flows. By default, the first login flow uses
first broker login
. For details, see Configuring authentication flows.
You will return to complete the identity provider configuration in the Imply Hybrid Auth console, but next switch to the Okta configuration console as described in the following step.
Step 2: Create the application in Okta
Log in to the Okta administration console as an administrator and follow these steps to create an application for Imply Hybrid.
From the Okta home page, create a new application:
- Click the Admin button at the right side of the top menu.
- Click Applications from the left navigation tree.
- Click Add Application.
In the Create a New Application Integration dialog:
- Choose Web from the Platform menu.
- For the Sign-on method, select SAML 2.0.
- Click Create.
In the General Settings, enter a name for the app, such as Imply Hybrid, and click Next.
For the Single sign on URL, paste the Redirect URL that you copied from the Redirect URI value of the Imply Auth identity provider from the previous step.
For the Audience URI (SP Entity ID) field, you can use the same Redirect URL copied from the Service Provider Entity ID field from the previous step.
Complete the steps in the Okta application integration Wizard, including assigning the app to users. The completed configuration should look something like this:
The group configuration will result in the following Okta groups:
Step 3. Configure the SAML Config settings
Back in the identity provider settings in the Imply Hybrid Auth console, complete the configuration as follows:
- In the SAML Config section of the new identity provider configuration, paste the Okta SAML request URL into the Single Sign-On Service URL field.
- Add a logout URL, the URL to which logged out users are directed in the Single Logout Service URL, along with any other optional fields on the page. The configuration should appear similar to the following:
- Click Save.
You should now be able to access Imply Hybrid with an authenticated session. However, in most cases, you will want to map user attributes to roles in Imply, as described in the next step.
Step 4. Add user role mappings
Mappers associate user properties from the identity provider to roles in Imply. Before configuring mappers, you must set up user roles, since you will map claims from Okta to those roles.
You should also verify that you have the SAML attributes that make sense to map to roles in Imply. You may need to create those properties for the purpose, if they don't already exist.
To add a mapper, follow these steps:
- Click the Mappers tab in the Identity Provider settings page and then click Create.
- In the mapper configuration, enter a name for the mapper.
- For the Sync Mode Override, choose from these options:
- Choose import to import data only from when the user was first created at first login.
- Choose force to update user data at each user login.
- Choose inherit to use the sync mode configured in the identity provider, all other options will override this sync mode.
- For the Attribute Name, enter the name of the Okta user attribute to which you want to map Imply roles.
- For the Attribute Value, enter the value of the attribute you entered to which you want to map Imply roles.
- For the Role, click Select Role and choose the Imply role to which you want to map the users that have the specified value for the attribute configured.
As shown, this mapper assigns users who have a value of
Platform Team
for theadmin
attribute to the admin role in Imply, giving them permissions to perform cluster operations in the Imply Manager. Add additional mappings for other roles you want to assign, such as a role for Analysts who can view and create dashboards and alerts but cannot perform actions upon clusters. - Click Save.
Users can now log in to Imply Hybrid with authenticated Okta sessions.
Optionally, you can map attribute statements from Okta to user session attribute values in Imply as well. This lets users avoid having to provide usernames and email addresses or other attributes at first login. The following screenshot shows the attribute statement configuration for an Okta SAML application:
Configure the attribute mapping as you would a role mapping to have the attribute value propagated to Imply Hybrid.