Configuring Okta SAML (beta)

Imply Cloud Auth with SSO support is a beta feature for Imply Cloud. See About experimental features for more information about beta features.

This topic describes how to configure Imply Cloud to use Okta as an external identity provider with SAML.

Configuring Okta SAML identity provider

The following procedures describe how to integrate Imply with SAML in four steps:

Before starting, make sure you are logged in as an administrator to both the Imply Cloud and Okta consoles. Setting up an identity provider in the Imply auth console requires User Manager role permissions.

Step 1: Add the identity provider in the Imply auth console

  1. Log in to the Imply auth console and click Identity Providers from the left menu.
  2. Open the Add provider menu, and choose SAML. SAML config
  3. For the Alias, enter a unique alias for this identity provider. Notice that the alias appears in the Redirect URI path, which you will use in the next step to add an application for Imply in Okta: SAML config
  4. Optionally, choose the login flog and post login flows. By default, the first login flow uses first broker login. For details, see configuring authentication flow.

You will return to complete the identity provider configuration in the Imply auth console, but next switch to the Okta configuration console as described in the following step.

Step 2: Create the application in Okta

As an Okta administrator, create an application for Imply Cloud in the Okta administration console as follows.

  1. From the Okta home page, create a new application:
    1. Click the Admin button at the right side of the top menu.
    2. Click Applications from the left navigation tree.
    3. Click Add Application.
  2. In the Create a New Application Integration dialog:
    1. Choose Web from the Platform menu.
    2. For the Sign-on method, select SAML 2.0.
    3. Click Create.
  3. In the General Settings, enter a name for the app, such as Imply Cloud, and click Next.
  4. For the Single sign on URL, paste the Redirect URL that you copied from the Redirect URI value of the Imply Auth identity provider from the previous step.
  5. For the Audience URI (SP Entity ID) field, you can use the same Redirect URL copied from the Service Provider Entity ID field from the previous step.
  6. Complete the steps in the Okta application integration Wizard, including assigning the app to users.

Step 3. Configure the SAML Config settings

Back in the identity provider settings in the Imply auth console, complete the configuration as follows:

  1. In the SAML Config section of the new identity provider configuration, paste the Okta SAML request URL into the Single Sign-On Service URL field.
  2. Add a logout URL, the URL to which logged out users are directed in the Single Logout Service URL, along with any other optional fields on the page. The configuration should appear similar to the following: SAML config
  3. Click Save.

You should now be able to access Imply Cloud with an authenticated session. However, in most cases, you will want to map user attributes to roles in Imply, as described in the next step.

Step 4. Add user role mappings

After adding a identity provider configuration, you can map user attributes derived from the identity provider to roles in Imply.

Before configuring mappers, you must also set up user roles, since you'll be mapping to those roles. You also need to configure the Imply Cloud application in Okta to include group attribute statements. For details, see the Okta documentation on creating a SAML integration.

To add a mapper, follow these steps:

  1. Click the Mappers tab in the Identity Provider settings page and then click Create.
  2. In the mapper configuration, enter a name for the mapper.
  3. For the Sync Mode Override, choose from these options:
    • Choose import to import data only from when the user was first created at first login.
    • Choose force to update user data at each user login.
    • Choose inherit to use the sync mode configured in the identity provider, all other options will override this sync mode.
  4. For the Attribute Name, enter the name of the Okta user attribute to which you want to map Imply roles.
  5. For the Attribute Value, enter the value of the attribute you entered to which you want to map Imply roles.
  6. For the Role, click Select Role and choose the Imply role to which you want to map this users that have the specified value for the attribute configured. Your configuration should look something like: SAML config As shown, this mapper assigns users who have a value of Platform Team for the admin attribute to the admin role in Imply, giving them permissions to perform cluster operations in the Imply Manager. Add additional mappings for other roles you want to assign, such as a role for Analysts who can view and create dashboards and alerts but cannot perform actions upon clusters.
  7. Click Save.

Users can now log in to Imply Cloud with authenticated Okta sessions.

Optionally, you can map attribute statements from Okta to user session attribute values in Imply as well. This lets users avoid having to provide usernames and email addresses or other attributes at first login. The following screenshot shows the attribute statement configuration for an Okta SAML application:

SAML config

Configure the attribute mapping as you would a role mapping to have the attribute value propagated to Imply Cloud.

Configuring Okta OIDCConfiguring LDAP for Imply SSO