Okta SSO

An overview of the process to configure SSO connections between ChaosSearch and Okta

Okta is an identity management tool. It helps IT organizations scale and secure their user base easily, across different platforms. ChaosSearch supports SSO integration with Okta, which means your organization can easily incorporate ChaosSearch into your application base in Okta and let your users securely access ChaosSearch from their end-user dashboard.

The Okta support includes steps for an SP-initiated bookmark-based authentication, as well as an IdP-based bookmark form of authentication. The following is an outline of the process to configure Okta; the steps could vary with updated Okta versions or your organization's policies.

Okta SP-Initiated Authentication Setup

This section provides an overview of the information and procedures to configure SP-initiated SSO access to ChaosSearch.

Overview of the SP-Initiated Authentication Process

In this setup, Okta users connect to the ChaosSearch portal at their configured domain, and click Single Sign On on the login page. They are redirected through the Auth0 broker to their Okta IdP authentication service, where they can authenticate and be redirected back to the Auth0 and the ChaosSearch portal with their user account and group authorizations.

In this configuration, the Okta administrator at the customer site must:

ChaosSearch will provide the SSO URL and entity ID, such as the following examples:

The Okta Admin of the account must add the following Attribute Statement:

  • Name: email
  • Name format (optional): Unspecified
  • Value: ${user.email}

📘

After you complete the Okta configuration

Make sure that obtain the Identity Provider Single Sign-On URL and you must download a copy of the Okta X.509 certificate to give to ChaosSearch.

The customer ChaosSearch administrator will create sub-accounts in ChaosSearch and ensure that the username is the email address that matches the Okta email address for each account.

Okta Boomark-Style Authentication Setup

For customers who would prefer their users to access ChaosSearch after authenticating with their company Okta IdP, this section describes the steps to configure bookmark-based SSO access to ChaosSearch.

📘

Transitioning existing SP-initiated integrations to Boomarks

For customers who have configured an existing SP-initiated authentication, and who want to transition to bookmarks on their Okta portal, it is recommended that the customer Okta administrator leave the existing SP application configuration in place. That is, do not delete the existing application configuration in Okta, and just create a new application for the IdP authentication and accompanying bookmark. You can transition your end users from the SP-connection to the new IdP bookmarks, while the existing connection remain in place as a backup.

Overview of the Application Bookmark Process

Application bookmarks allow administrators to define connections to important business services and applications, and to make those connections available to the users who need access. The bookmarks appear as links in the Okta dashboard alongside links and icons to their other business applications.

To create an SSO bookmark connection to ChaosSearch, the Okta administrators must:

  • Add an Okta SAML application.
  • Define an application bookmark for ChaosSearch and grant users permission to it.

The process also requires similar application and Auth0 setup steps as for the SP-initiated authentication described earlier in the topic.

  • The ChaosSearch team must define the Auth0 connection to the customer's Okta IdP, and will the following values to the customer for there Okta administrator:

    • Single sign on URL. The SAML Post URL location, also referred to as the SAML Assertion Consumer Service (ACS) URL for the target application. This is a value similar to: https://chaossearch-customer.com/login/callback?connection=customer-okta

    • Audience URI. The application-defined unique ID that is the intended audience of the SAML assertion. This is a value similar to: urn:auth0:chaossearch-customer:customer-okta.

  • The customer administrator must supply the following information to ChaosSearch to sign the communication:

    • The X.509 token signing certificate
    • The customer's sign-in URL

📘

Step Compatibility

The following steps could vary slightly for different versions of the Okta software.

Add an Okta SAML Application

The Okta Admin user creates a SAML application to configure the authentication details with their service. This initial application is typically not visible to their users, but later in these steps, you will create a Bookmark App to make the ChaosSearch application accessible to permitted users.

The customer Okta application administrator must complete the procedures to add an application and bookmark for the ChaosSearch integration.

To add a SAML application in your Okta tenant:

  1. Sign in to your Okta tenant as an administrator.
  2. In the Admin Console, navigate to Applications > Applications.
  3. Click Create App Integration.
  4. In the Create a new app integration dialog, choose SAML 2.0 and click Next.
  5. Type an App name such as Direct access to ChaosSearch and click Next.
  6. In the Configure SAML step, in the SAML Settings section, enter the values for:
    a. Single sign on URL: Specify the single sign-on URL that you obtained from ChaosSearch.
    b. Audience URI: Specify the Audience URI value that you obtained from ChaosSearch.
  7. Click Next.
  8. In the last page, select I'm an Okta customer adding an internal app, and click Finish.

To configure a bookmark in Okta:

  1. Log into the Okta portal as an Admin user.
  2. Click Add apps in the left pane.
  3. Search for bookmark app and click the option to Add a bookmark instead.

  1. In the Add Bookmark window, specify the following values:
    a. In the App URL field, type the login URL to your ChaosSearch instance.
    b. In the App name field, type a unique name for the bookmark app that your users will recognize like ChaosSearch.

  1. Click Add bookmark.
  2. Click Done. The application is added and the Assignments tab opens. (If you returned to the app, select the Assignments tab.)
  3. Assign individual users or a group to the application. Okta Admin users must assign the bookmark application to the users who require ChaosSearch access.

Connecting to ChaosSearch

After the Okta configuration and the ChaosSearch Auth0 configuration is complete, permitted Okta users can connect to the ChaosSearch console by clicking the bookmark on their Okta dashboard.