Learn about the administrative features to configure and manage important settings of the application, such as authorization policies, user invitations, API keys, and more.
This is the multi-page printable view of this section. Click here to print.
Administration
- 1: Manage access to Endor Labs
- 2: Manage API keys
- 3: Configure system settings
- 4: Manage user invitations
- 5: Set up namespaces
- 6: Set up SSO with Endor Labs
1 - Manage access to Endor Labs
Endor Labs comes with a built in attribute based access control system. Attribute-based access control (ABAC) is an authorization model that evaluates attributes (or the characteristics of an identity), rather than roles, to determine access.
Endor Labs uses external identity providers to authenticate all users and the attributes associated with the identity to authorize them.
Configure authorization with Endor Labs
Authorization in Endor Labs is defined by a set of authorization policies. Authorization policies define the permissions provided to an identity authenticated by a supported identity provider when that identity meets specific rule criteria defined as attributes or claims about the identity.
Authorization policies must contain the following information:
- The supported identity provider through which a given identity comes from.
- The permissions provided to an identity when specific rule criteria are met.
- An optional expiration time for the policy
- The rule criteria or claims for which the identity must have to be authorized to access Endor Labs.
- After setting up the authorization policy, you can invite users to Endor Labs
Authorization policy roles
Endor Labs comes with several out-of-the-box authorization policies to enable the principle of least privilege for its users. The out-of-the-box authorization policy roles are:
Role | Access | Module | Description |
---|---|---|---|
Policy Editor | Complete read and write access | Policies and policy templates | Primarily used to allow users to manage policies. |
Export | Export SBOM and VEX | ||
Complete read and write access | Notifications | ||
Read-only | All modules | ||
Code Scanner | Scan | Projects and repositories | Primarily used for a CI/CD-based service account |
Complete read and write access | Policies and policy templates | ||
Complete read and write access | Projects and repositories | ||
Complete read and write access | Findings | ||
Complete read and write access | Notifications | ||
Read-only | All modules | ||
Read-Only | Read-only | All modules | Primarily used to grant read-only access to all modules in the application |
Export | Export SBOM and VEX | ||
Admin | Complete read and write access | All modules | Primarily used to grant complete access to the application |
Supported authentication providers
Authentication through Endor Labs is done through an external identity provider. Some authentication mechanisms are generally designed for human users, while others are designed for machine identities.
Supported authentication mechanisms designed for human users include:
- Google - Authentication is provided through a users Google workspaces or Gmail account.
- GitHub - Authentication is provided through a users GitHub account.
- GitLab - Authentication is provided through a users GitLab account.
- Email - Authentication is provided through an email link sent to a user.
- Custom Identity Providers - An enterprise identity provider such as Okta or VMware One, which uses SAML or OIDC protocol. Learn more at our documentation on setting up a custom identity provider
Authentication mechanisms designed for machine identities, such as continuous integration or automation systems include:
- Google Cloud - With Google Cloud workload identity federation service accounts may be used to federate identity to Endor Labs. Learn more at our documentation on setting up keyless authentication
- GitHub Action OIDC - With GitHub Action OIDC you can federate the identity of your workloads to Endor Labs. Learn more at our documentation on setting up keyless authentication
- AWS Role - With AWS identity federation your can use the AWS ARN of the role acts as the identity of a machine user. Learn more at our documentation on setting up keyless authentication
Set up authorization policies
To set up an authorization policy to your Endor Labs tenant:
- Go to Manage > Access Control on the left-hand navigation.
- Ensure you are on the Auth Policy top navigation tab.
- Click Add Auth Policy.
- Select the identity provider that you would like to set up an authorization policy for.
- Select the permissions that a matching identity is authorized for.
- Select an expiration time for which an authorization rule may exist in the system.
- This may be either No expiration, 24 hours, 72 hours, one week, two weeks, or 30 days.
- Select the claims for which the authorization rule will provide access
- For GitHub and GitLab this may be the user’s platform handle
- For Google, this may be the user’s email address or the domain of the email address.
- For a custom identity provider, this may be set to a key value pair associated with the claims provided by your external identity provider.
- For Email this may be the email address an authentication link is sent to.
- For GitHub Action OIDC this may be the organization or repository for which a workload runs under.
- For AWS Role this may be the AWS ARN of the role the machine is set to impersonate.
- For Google Cloud this may be the principal email of a service account the workload is set to impersonate.
- Under Advanced you may select a set of namespaces for which an authorization policy may apply. If you choose to propagate this policy to all child namespaces then the authorization policy will be applied to any selected namespaces and their children.
- click Add Auth Policy to save your authorization policy.
After adding the authorization policy, a user with the corresponding authorization claims can sign in to Endor Labs with their configured permissions.
2 - Manage API keys
Use this API reference to engage with Endor Labs services programmatically and enable any automation or integration with other systems in your environment. Users can generate API keys using endorctl or directly from the application’s user interface.
Create an API Key
To gain Rest API access to Endor Labs endpoints, you have to generate API credentials for your API user.
- From Manage, navigate to API Keys.
- Select Generate API Key.
- Enter a name to identify the API key.
- Select the permissions to apply to the API Key.
- Select the expiration date of the API key. This may be either 30, 60, or 90 days.
Using these credentials, you can configure Endor Labs scans in your CI/CD pipeline, or set up the Endor Labs Visual Studio Code extension. See scanning with endorctl and use Endor Labs extension in Visual Studio Code for details.
Delete an API Key
Delete the API keys that are expired or no longer in use.
- From Manage, navigate to API Keys.
- Find the API key, which you would like to delete.
- Select the trash can icon at the far right.
- Confirm deletion of the API key.
You can also delete API keys using endorctl.
endorctl api delete --resource=APIKey --name=<API_Key_Name>
3 - Configure system settings
Administrators can configure the following settings to customize certain interactions with Endor Labs. These interactions include:
Configure SBOM settings
You can configure organizational settings that will be included in every one of your organization’s SBOMs. These settings allow you to meet NTIA requirements for minimum SBOM data fields which require supplier contact information for your organization.
To define your organization’s SBOM settings:
- Navigate to Settings on the left pane of the Endor Labs application.
- Select SYSTEM SETTINGS.
- Enter the following organizational SBOM settings as appropriate for your organization under SBOM Settings.
- Organizational Name - The organization that supplied the library or application that the SBOM describes.
- Contact Name - A contact at the organization for SBOM related inquiries.
- Contact Email Address - The organizational contact’s email address.
- Supplier URL - The website URL of the organization supplying the SBOM.
- Select Save CycloneDX Settings.
Configure policy settings
Endor Labs comes with several out-of-the-box policies that help you ensure the security posture of your code repositories, detect secret leaks, discern license risks, and make your code compliant with the CIS benchmark. Endor Labs regularly updates its existing policies and also includes several new policies. Configure policy settings to ensure that you benefit from these regular updates.
-
Automatically Enable New System Policies - Select to ensure that new policies released by Endor Labs are automatically enabled in your organization. This ensures that the policies are automatically applied to all the projects that you scan you can view the generated findings.
-
Enable Automatic Policy Updates from Endor Labs - Select to ensure that any updates released by Endor Labs to the existing policies are automatically enabled in your organization.
Note: Do not enable automatic policy updates if you have modified any out-of-the-box policies. For example, if you have updated an out-of-the-box policy to change the finding severity, the automatic update will reset the policy to its original settings.
Manage saved filters
You can look for the saved filters that you created on the findings page and delete them from here.
- Navigate to Settings on the left pane of the Endor Labs application.
- Select SAVED FILTERS.
- Choose a filter, click the vertical ellipsis on the right side and choose Delete.
4 - Manage user invitations
Endor Labs provides attribute based access control to manage users across tenants. Provision User access to Endor Labs through one of the following methods:
- Send user invitations - Specifically invite a user through email to sign in using their own selected identity provider
- Configure authorization policies - Define specific identities or attributes for a given identity to provide necessary access to Endor Labs. See Authorization policies for more information.
Invite users to Endor Labs
Invite specific users to access your Endor Labs tenant using their preferred external identity provider. When a user is sent an invitation to your tenant, they receive an invitation to sign in to Endor Labs with the identity provider of their choice. When a user accepts an invitation an authorization policy is created for them using their selected identity provider.
To invite a new user to Endor Labs:
- Go to Manage > Settings on the left navigation menu.
- Ensure you are on the Invitations top navigation tab.
- Click Invite your team.
- Enter the email address of the user that you would like to collaborate with. If you would like to invite multiple users enter their email addresses as a comma separated list.
- Click Invite Users.
An email will be sent to the email address inviting the user to your tenant namespace. The email will provide a link for them to access your tenant namespace, and they can start collaborating on your projects.
Invalidate a user invitation
To delete a user invitation:
- Go to Manage > Settings on the left navigation menu.
- Ensure you are on the Invitations tab.
- Choose an invitation that you would like to delete and click Delete.
5 - Set up namespaces
Namespaces in Endor Labs define a way to group projects and create logical partitions in an organization based on organizational units, business units, project requirements, or teams.
Using namespaces administrators can:
- Define hierarchy and control access to project resources within a namespace.
- Establish policy governance by defining the rules of engagement and setting different or same guardrails across namespaces.
Namespaces in an organization
You can partition every tenant in Endor Labs into multiple namespaces and further partition each namespace into sub-namespaces. Every namespace has its own set of authorization rules and integrations.
When you sign in to Endor Labs for the first time, create a tenant for your organization, such as abccorp
.
-
Now you can create logical separations in the form of namespaces for different business units in your organization such as Security Business Unit (
security-bu)
, Datacenter Business Unit (datacenter-bu
), and, Orchestration Agent Business Unit (orchestration-agent-bu
), inside your main tenantabccorp
. -
You can further partition the Security Business Unit into sub-namespaces such as the Development team (
dev-team
), Finance Team (finance-team
), and Testing Team(testing-team
).
- There can be several namespaces within
ABCCorp
like thedev-team
namespace hosts projects that belong to the development team of the Security Business Unit and thetest-team
namespace hosts projects that belong to the testing team of the Security Business Unit.
Use namespaces for authorization
Large enterprises with multiple business units, teams, or groups, can assign different namespaces to different groups and apply authorization policies that restrict access to specific groups. This ensures least privilege access to critical information is available in the organization.
Organizations can also provision namespaces to provide read access to security teams in specific namespaces while they provide write access to AppSec teams for managing policies.
-
Create an authorization policy giving users in the development team of the security business unit with permissions to scan their projects. Users from group
@developers.abccorp.ai
can have code scanner permissions for the namespacedev-team
. -
Users from group
@applicationsecurity.abccorp.ai
can have policy editor permissions for the namespacedev-team
. The developers can scan the code and the application security professionals can define the policies for code compliance. -
The application security professionals can also choose to define the policies at the tenant level
abccorp
and choose to apply the same policies to all the child namespaces. This way, they won’t need to create policies individually for every child namespace. The development team inherits the policies from the organization and won’t be able to modify them. They can however add additional policies that are specific to engineering to their namespacedev.team
and define specific rules and conditions applicable only to them.
Use namespaces for policy governance
Administrators can use namespaces effectively for policy governance and make sure that teams in their organization adhere to industry-wide policy standards enforcing compliance.
Let us assume that the application security team in ABCcorp
wants to define organization-wide rules for code compliance, vulnerability management, and secret detection. They also need Jira tickets filed for all cases.
The application security engineers can create the following objects at the ABCcorp
tenant level and propagate these objects to all the namespaces under abccorp
so that it applies to the entire organization.
- Define action policy to break the build when critical vulnerabilities are detected.
- Define action policy to warn the user of detected code compliance misconfigurations.
- Define action policy to break the build when valid secret tokens are detected in their code.
- Create Jira tickets and notify the appropriate team to take remediation measures.
Create a namespace
To create a namespace in your tenant:
- Sign in to the Endor Labs application.
- Navigate to Manage > Namespaces from the left sidebar.
- Click New Namespace.
- Enter a title and description for the namespace. The title can have a maximum of 32 characters and must contain only lowercase letters (a-z), numbers (0-9) and characters (_-).
- Enter tags that you want to associate with this namespace. Tags can have a maximum of 63 characters and must contain letters (A-A), numbers (0-9) and characters (=@_.-).
Edit a namespace
You can choose to modify the description of a namespace or include tags for it. You can’t modify its title once a namespace is created. To edit details of a namespace in your tenant:
- Sign in to the Endor Labs application.
- Navigate to Manage > Namespaces from the left sidebar.
- Choose the namespace and click Edit.
- Edit the description or include tags for the namespace.
- Click Update Namespace.
Delete namespace
Deleting a namespace permanently deletes all its child namespaces and its projects. To delete a namespace:
- Sign in to the Endor Labs application.
- Navigate to Manage > Namespaces from the left sidebar.
- Choose the namespace and click Delete.
- Select and confirm the deletion.
- Select Delete Namespace.
Data propagation from parent to child namespaces
Data propagation defines how the data is inherited by the child namespace from its parent namespace.
-
Finding Policies - When a new namespace is created, all the finding policies in the parent are inherited by the child namespaces. Any new finding policy you create in the parent, you can choose to apply it to the child namespaces by selecting Propagate this policy to all child namespaces.
-
Action Policies - When a new namespace is created, all the action policies in the parent are inherited by the child namespaces. Any new action policy you create in the parent, you can choose to apply it to the child namespaces by selecting Propagate this policy to all child namespaces.
-
Package Manager Integrations - Package manager integrations of the parent are not inherited by the child namespaces. Any new package manager integration you create in the parent, you can choose to apply them to the child namespaces by selecting Propagate this package manager to all child namespaces.
-
Integrations - Integrations in the parent are not inherited by the child namespaces.
-
Authorization policies - Authorization policies of the parent are inherited by all its child namespaces. You can choose to group the authorization policies of the child namespaces in their parent namespace and manage them easily.
-
Secret Rules - You can choose to apply custom secret rules created in the parent to its child namespaces by selecting Propagate this rule to all child namespaces.
Tenant and namespace terminologies
Tenant is the top-level entity under which you can create namespaces and child-namespaces.
To denote a namespace, always use its fully qualified name. Fully qualified name for a namespace is in the format tenantname.namespacename
, and child namespace is in the format tenantname.namespacename.childnamespacename
.
- In this example, the tenant is
abccorp
and its child namespaces areabccorp.security-bu
,abccorp.datacenter-bu
, andabccorp.agent-bu
. The child namespaces ofabccorp.security-bu
areabccorp.security-bu.dev-team
,abccorp.security-bu.testing-team
, andabccorp.security-bu.finance.team
. - Consider a tenant named
acme
with a child namespacedev
, which in turn has a child namespaceapp
. The fully qualified namespace forapp
isacme.dev.app
.
When you sign into the application, you sign into the tenant abccorp
. To view data in abccorp
with all its namespaces, select Include All Children. The data on all pages in the Endor Labs application includes information from all the child namespaces.
6 - Set up SSO with Endor Labs
Single Sign-On (SSO) provides a seamless sign-in by enabling users to access external applications and services without re-entering the credentials. Endor Labs supports SAML or OIDC-based identity providers.
SAML is an XML-based protocol used for exchanging authentication and authorization data between applications.
OpenID Connect (OIDC) is an identity layer on top of the OAuth 2.0 framework that allows applications to verify the identity and claims of users.
Using Endor Labs, you can integrate using an Identity Provider (IdP) that supports SAML or OIDC, such as Okta, Microsoft Active Directory Federation Services (AD FS), Azure Active Directory (AD), Google, or OneLogin.
To integrate an SSO-based identity provider with Endor Labs:
- Keep Service Provider (Endor Labs) details handy
- Retrieve Setup information from your IdP
- Configure SAML in Endor Labs
- Configure OIDC in Endor Labs
- Configure your Authorization Policy
- Verify Sign-in
Keep Service Provider (Endor Labs) details handy
To configure Endor Labs as a SAML 2.0 app, you must have the following service provider details:
- Single sign-on URL: This is the API endpoint of the application, where your identity provider redirects the user after successful authentication. You have to enter
https://api.endorlabs.com/v1/auth/saml-callback?tenant=yourtenant
Replaceyourtenant
with your actual tenant name. - Audience URI: This is a globally unique name for the service provider. You have to enter
https://api.endorlabs.com/v1/auth/sso
To configure Endor Labs as an OIDC app, you must have the following service provider details:
- Sign-in redirect URIs: This is the API endpoint of the application, where your identity provider redirects the user after successful authentication. You have to enter:
https://api.endorlabs.com/v1/auth/oidc/callback
- Sign-out redirect URIs: This is the API endpoint of the application, where your identity provider redirects the user after successful logout. You have to enter:
https://api.endorlabs.com/v1/auth/oidc/logout
Retrieve Setup information from your IdP
The following information is needed for SAML and OIDC configuration setup in Endor Labs.
Setup information for SAML Authentication
To set up SAML SSO with Endor Labs you will need the following information from your IdP:
- Sign-On URL: The SAML SSO remote sign-in URL of IdP.
- Issuer: The unique ID of IdP for Endor Labs.
- Signing Certificate: The public key certificate of your IdP.
Setup Information for OIDC Authentication
To set up OIDC SSO with Endor Labs you will need the following information from your IdP:
- Identity Provider Discovery URL: The OIDC discovery URL of your identity provider.
- Client Key: The unique key of IdP for Endor Labs.
- Client Secret: The secret key of your IdP for Endor Labs.
- Required Claims and Scopes: The required claims and scopes if non-standard for your OIDC connection.
Configure SAML in Endor Labs
Provide the Identity Provider SSO details in Endor Labs and allow users to seamlessly and securely sign in to Endor Labs.
-
Sign in to Endor Labs.
-
From the sidebar, navigate to Settings and click CUSTOM IDENTITY PROVIDER.
-
Select the TYPE OF IDENTITY PROVIDER as SAML.
-
Enter a name for your IDENTITY PROVIDER NAME.
-
From METADATA DEFINITION, select Metadata URL and enter the SAML Identity provider metadata URL or Discovery URL from your IdP.
-
If you want to enter the identity provider details manually, choose METADATA DEFINITION as Manual and enter the following details that you saved from IdP.
- DISCOVERY URL: Enter Sign-On URL from IdP.
- ISSUER: Enter Issuer from IdP.
- ATTRIBUTES: Enter your attributes such as email and groups. Type the values and press enter.
- CERTIFICATE: Enter the Signing Certificate from IdP.
-
Click Save Configuration.
Configure OIDC in Endor Labs
Provide the following Identity Provider SSO details to configure OIDC SSO in Endor Labs and allow users to seamlessly and securely sign in to Endor Labs.
- Sign in to Endor Labs.
- From the sidebar, navigate to Settings and click CUSTOM IDENTITY PROVIDER.
- Select the TYPE OF IDENTITY PROVIDER as OIDC.
- Enter the IDENTITY PROVIDER NAME for your selected identity provider.
- Under DISCOVERY URL enter your discovery URL. This is usually your Okta domain followed by /.well-known/
- openid-configuration. For example, https://endorlabs.okta.com/.well-known/openid-configuration.
- Enter your Client ID and Client Secret from your IdP.
- Under Advanced Configuration enter the following scopes in the scopes section: email, groups, profile. Make sure to hit enter after each to add each attribute.
- If you are configuring group-based authentication ensure to add groups in the Claim Names section.
- Click Save Configuration.
Note: Based on your IdP configuration you may need additional claim names or scopes. Consult your IdP administrator for additional guidance.
Configure your Authorization Policy
Once you’ve configured your custom identity provider in Endor Labs you must setup an authorization policy for your users and groups.
To configure an authorization policy:
- Sign in to Endor Labs.
- From the sidebar, navigate to Settings and click Auth Policy.
- Click the Add Auth Policy button.
- Enter the name you selected for your custom identity provider as your identity provider.
- Select the permissions you’d like to assign your user or group.
- Under claims update your Key. Use email to assign individual users via email or groups to assign a user by group.
- Assign the value to the key as the email of the user or group you would like to authorize. This value is case-sensitive.
- Repeat as needed for any additional users or groups.
Verify Sign-in
Use the user account to sign in to Endor Labs from your IdP and validate the SSO integration.
- Sign in to IdP as a user.
- Navigate to https://app.endorlabs.com
- Click Login with Enterprise SSO
- Enter the namespace you’d like to sign in to within Endor Labs.
For Okta-specific instructions, see SSO using Okta
6.1 - Set up Okta for SSO using SAML
Endor Labs integrates with Okta to use SSO through either Security Assertion Markup Language (SAML) protocol.
With the Endor Labs-Okta SAML integration, Endor Labs acts as the Service Provider (SP), and Okta acts as the Identity Provider (IdP). When users sign in to Endor Labs using the SAML authentication method, the IdP (Okta) sends a SAML assertion to the browser that is passed to the SP (Endor Labs). This enables Okta to establish a secure connection with the browser and then authenticate the users to sign in to Endor Labs.
The following high level steps allow you to successfully configure Okta for SSO through SAML:
- Create and configure a SAML application in Okta
- Assign the appropriate users and groups to the application
- Get Identity Provider details from Okta
- Configure Okta SSO in Endor Labs
- Configure your Authorization Policy
Create and configure a SAML application in Okta
In Okta, configure the Endor Labs application as a SAML 2.0 application and generate a single sign-on URL and certificate.
Tip
You must be an Okta administrator to configure the application end-to-end in Okta.-
Sign in to the Okta admin account.
-
Go to Applications > Applications.
-
To create an app integration, click Create App Integration.
-
Select SAML 2.0 and click Next.
-
Enter the following details in General Settings and click Next.
- App Name: Enter Endor Labs.
- App Logo (optional): Upload the Endor Labs logo in PNG, JPG, or GIF format. The logo size must be less than 1 MB.
- App Visibility (optional): Select this option to hide the Endor Labs icon from users in the Okta dashboard.
-
Enter the following in SAML Settings.
- Single sign-on URL: Enter
https://api.endorlabs.com/v1/auth/saml-callback?tenant=yourtenant
. Replaceyourtenant
at the end with your actual tenant name. - Audience URI: Enter
https://api.endorlabs.com/v1/auth/sso
- Relay State: Leave this field empty
- Name ID format: Select Unspecified.
- Application username: Select Email.
- Update application username on: Ensure Create/Update is selected.
- Single sign-on URL: Enter
-
Click Show Advanced Settings and ensure the following default details are set:
- Response: Select Signed.
- Assertion Signature: Select Signed.
- Signature Algorithm: Select RSA-SHA256.
- Digest Algorithm: Select SHA256.
- Assertion Encryption: Select Unencrypted
-
Configure your attribute statements: Attribute statements are specific properties associated with individual users and are used for including user provisioning, access control, or user profile management. To configure each individual user in Endor Labs you can use Attribute Statements. To configure users using Okta groups, such as groups integrated with Active Directory accounts use Group Attribute Statements.
- Enter the following details in Attribute Statements for individual authorization:
- Name: Enter email.
- Name format: Select Basic.
- Values: Select user.email.
- Enter the following details in Group Attribute Statements for group authorization:
- Name: Enter groups.
- Name format: Select Basic.
- Filter: As a best pracitce, filter the groups being sent by choosing one of the following options.
- Select Matches regex and a enter a regular expression to specify groups.
- Select Starts With to filter groups based on a prefix, sending only groups that begin with the specified string.
- Enter the following details in Attribute Statements for individual authorization:
-
Click Next.
-
Select I’m a Okta customer adding an internal app, and click Finish.
Assign the appropriate users and groups to the application
Once you’ve created your Application you need to assign the appropriate users and groups as assignments.
- Select Assignments in your newly created application.
- Click Assign and select Assign to people or Assign to groups** if you are configuring group authorization.
- Search for and select the group you’d like to assign and click Done.
Get Identity Provider details from Okta
Once you’ve created your Okta app and assigned groups you must retrieve your Okta the Okta identity provider SSO details to configure Okta in Endor Labs.
- Select Sign On.
- From Metadata Details, copy the Metadata URL.
- Save the following details and have them handy if you’d like to manually configure SAML:
- Sign-On URL: The SAML SSO URL of Okta.
- Issuer: The unique ID of Okta for Endor Labs.
- Signing Certificate: The public key certificate of Okta.
Configure Okta SSO in Endor Labs
Provide the Identity Provider SSO details to configure Okta SSO in Endor Labs and allow users to seamlessly and securely sign in to Endor Labs.
Tip
You must be an Endor Labs administrator to configure custom identity providers and authorization policies.- Sign in to Endor Labs.
- From the sidebar, navigate to Settings and click CUSTOM IDENTITY PROVIDER.
- Select the TYPE OF IDENTITY PROVIDER as SAML.
- Enter the IDENTITY PROVIDER NAME as Okta SAML.
- From METADATA DEFINITION, select Metadata URL and enter the Metadata URL that you downloaded from Okta.
- If you want to manually enter the identity provider details, choose METADATA DEFINITION as Manual and enter the following details, you saved from Okta. See Get Identity Provider details from Okta
- DISCOVERY URL: Enter Sign-On URL from Okta.
- ISSUER: Enter Issuer from Okta.
- ATTRIBUTES: Enter your attributes such as email, groups, or more. Type the values and press enter.
- CERTIFICATE: Enter the Signing Certificate from Okta.
- Under Attributes enter email and groups, Press enter after each entry to add each attribute.
- Click Save Configuration.
Configure your Authorization Policy
Once you’ve configured your custom identity provider in Endor Labs you must configure an authorization policy for your users and groups. You must be an Endor Labs administrator to configure custom identity providers and authorization policies. To set up an authorization policy:
- Sign in to Endor Labs.
- From the sidebar, navigate to Settings and click Auth Policy.
- Click the Add Auth Policy button.
- Enter Okta SAML as your identity provider.
- Select the permissions you’d like to assign your user or group.
- Under claims update your Key. Use email to assign individual users via email or groups to assign a user by group.
- Assign the value to the key as the email of the user or group you would like to authorize. This value is case-sensitive.
- Repeat as needed for any additional users or groups.
6.2 - Set up Okta for SSO using OIDC
Endor Labs integrates with Okta to use SSO through OpenID Connect (OIDC) protocol.
The following high level steps allow you to successfully configure Okta for SSO through OIDC:
- Create and configure an OIDC application in Okta
- Assign the appropriate users and groups to the application
- Get Identity Provider details from Okta
- Configure Okta OIDC SSO in Endor Labs
- Configure your Authorization Policy
Create and configure an OIDC application in Okta
In Okta, configure the Endor Labs application as an OIDC application and generate a single sign-on URL and certificate.
Tip
You must be an Okta administrator to configure the application end-to-end in Okta.-
Sign in to the Okta admin account.
-
Go to Applications > Applications.
-
To create an app integration, click Create App Integration.
-
Select OIDC - OpenID Connect
-
Under Application type select Web Application and click Next.
-
Enter the following details in General Settings and click Next.
- App integration name: Enter Endor Labs.
- App Logo (optional): Upload the Endor Labs logo in PNG, JPG, or GIF format. The logo size must be less than 1 MB.
- Sign-in redirect URIs: Enter
https://api.endorlabs.com/v1/auth/oidc/callback
- Sign-out redirect URIs: Enter
https://api.endorlabs.com/v1/auth/oidc/logout
- Under Assignments: Select if you’d like to assign all users or only a specified group then click Save
-
Once you’ve setup your application some additional configuration is required. Navigate to Okta API Scopes in the application.
-
Grant access to
okta.groups.read
to allow group assignments andokta.users.read
and select Grant. -
Navigate to Sign On
-
Under OpenID Connect ID Token select Edit
-
Select Groups claim type as Filter and ensure groups is selected with the Matches Regex filter of .* or a regex matching your group or groups name.
-
Click Save Configuration.
Assign the appropriate users and groups to the application
Once you’ve created your Application you need to assign the appropriate users and groups as assignments.
- Select Assignments in your newly created application.
- Click Assign and select Assign to people or Assign to groups** if you are configuring group authorization.
- Search for and select the group you’d like to assign and click done.
Get Identity Provider details from Okta
Once you’ve created your Okta app and assigned groups you must retrieve your Okta the Okta identity provider SSO details to configure Okta in Endor Labs.
- Select Sign On.
- From Metadata Details, copy the Metadata URL.
- Save the following details and have them handy if you’d like to manually configure SAML:
- Sign-On URL: The SAML SSO URL of Okta.
- Issuer: The unique ID of Okta for Endor Labs.
- Signing Certificate: The public key certificate of Okta.
Configure Okta OIDC SSO in Endor Labs
Provide the Identity Provider SSO details to configure Okta SSO in Endor Labs and allow users to seamlessly and securely sign in to Endor Labs.
Tip
You must be an Endor Labs administrator to configure custom identity providers and authorization policies.- Sign in to Endor Labs.
- From the sidebar, navigate to Access Control under Manage and click CUSTOM IDENTITY PROVIDER.
- Select the TYPE OF IDENTITY PROVIDER as OIDC.
- Enter the IDENTITY PROVIDER NAME as Okta OIDC.
- Under DISCOVERY URL enter your discovery URL. This is usually your Okta domain followed by /.well-known/openid-configuration. For example, https://endorlabs.okta.com/.well-known/openid-configuration.
- Enter your Client ID and Client Secret from Okta.
- Under Advanced Configuration enter the following scopes in the scopes section: email, groups, profile. Press enter after every entry to add each attribute successfully.
- If you are configuring group-based authentication ensure to add groups in the Claim Names section.
- Click Save Configuration.
Note: Based on your Okta configuration you may need additional claim names or scopes. Consult your Okta administrator for additional guidance.
Configure your Authorization Policy
Once you’ve configured your custom identity provider in Endor Labs you must configure an authorization policy for your users and groups.
To set up an authorization policy:
- Sign in to Endor Labs.
- From the sidebar, navigate to Access Control under Manage and click Auth Policy.
- Click the Add Auth Policy button.
- Enter Okta OIDC as your identity provider.
- Select the permissions you’d like to assign your user or group.
- Under claims update your Key. Use email to assign individual users via email or groups to assign a user by group.
- Assign the value to the key as the email of the user or group you would like to authorize. This value is case-sensitive.
- Repeat as needed for any additional users or groups.