This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Set up SSO with Endor Labs

Set up SAML or OIDC single sign on for Endor Labs with in your organization.

Single Sign-On (SSO) provides a seamless sign-in by enabling users to access external applications and services without re-entering the credentials. Endor Labs supports SAML or OIDC-based identity providers.

SAML is an XML-based protocol used for exchanging authentication and authorization data between applications.

OpenID Connect (OIDC) is an identity layer on top of the OAuth 2.0 framework that allows applications to verify the identity and claims of users.

Using Endor Labs, you can integrate using an Identity Provider (IdP) that supports SAML or OIDC, such as Okta, Microsoft Active Directory Federation Services (AD FS), Azure Active Directory (AD), Google, or OneLogin.

To integrate an SSO-based identity provider with Endor Labs:

Keep Service Provider (Endor Labs) details handy

To configure Endor Labs as a SAML 2.0 app, you must have the following service provider details:

  • Single sign-on URL: This is the API endpoint of the application, where your identity provider redirects the user after successful authentication. You have to enter https://api.endorlabs.com/v1/auth/saml-callback?tenant=yourtenant Replace yourtenant with your actual tenant name.
  • Audience URI: This is a globally unique name for the service provider. You have to enter https://api.endorlabs.com/v1/auth/sso

To configure Endor Labs as an OIDC app, you must have the following service provider details:

  • Sign-in redirect URIs: This is the API endpoint of the application, where your identity provider redirects the user after successful authentication. You have to enter: https://api.endorlabs.com/v1/auth/oidc/callback
  • Sign-out redirect URIs: This is the API endpoint of the application, where your identity provider redirects the user after successful logout. You have to enter: https://api.endorlabs.com/v1/auth/oidc/logout

Retrieve Setup information from your IdP

The following information is needed for SAML and OIDC configuration setup in Endor Labs.

Setup information for SAML Authentication

To set up SAML SSO with Endor Labs you will need the following information from your IdP:

  • Sign-On URL: The SAML SSO remote sign-in URL of IdP.
  • Issuer: The unique ID of IdP for Endor Labs.
  • Signing Certificate: The public key certificate of your IdP.

Setup Information for OIDC Authentication

To set up OIDC SSO with Endor Labs you will need the following information from your IdP:

  • Identity Provider Discovery URL: The OIDC discovery URL of your identity provider.
  • Client Key: The unique key of IdP for Endor Labs.
  • Client Secret: The secret key of your IdP for Endor Labs.
  • Required Claims and Scopes: The required claims and scopes if non-standard for your OIDC connection.

Configure SAML in Endor Labs

Provide the Identity Provider SSO details in Endor Labs and allow users to seamlessly and securely sign in to Endor Labs.

  1. Sign in to Endor Labs.

  2. From the sidebar, navigate to Settings and click CUSTOM IDENTITY PROVIDER.

  3. Select the TYPE OF IDENTITY PROVIDER as SAML.

  4. Enter a name for your IDENTITY PROVIDER NAME.

  5. From METADATA DEFINITION, select Metadata URL and enter the SAML Identity provider metadata URL or Discovery URL from your IdP.

  6. If you want to enter the identity provider details manually, choose METADATA DEFINITION as Manual and enter the following details that you saved from IdP.

    • DISCOVERY URL: Enter Sign-On URL from IdP.
    • ISSUER: Enter Issuer from IdP.
    • ATTRIBUTES: Enter your attributes such as email and groups. Type the values and press enter.
    • CERTIFICATE: Enter the Signing Certificate from IdP.
  7. Click Save Configuration.

Configure OIDC in Endor Labs

Provide the following Identity Provider SSO details to configure OIDC SSO in Endor Labs and allow users to seamlessly and securely sign in to Endor Labs.

  1. Sign in to Endor Labs.
  2. From the sidebar, navigate to Settings and click CUSTOM IDENTITY PROVIDER.
  3. Select the TYPE OF IDENTITY PROVIDER as OIDC.
  4. Enter the IDENTITY PROVIDER NAME for your selected identity provider.
  5. Under DISCOVERY URL enter your discovery URL. This is usually your Okta domain followed by /.well-known/
  6. openid-configuration. For example, https://endorlabs.okta.com/.well-known/openid-configuration.
  7. Enter your Client ID and Client Secret from your IdP.
  8. Under Advanced Configuration enter the following scopes in the scopes section: email, groups, profile. Make sure to hit enter after each to add each attribute.
  9. If you are configuring group-based authentication ensure to add groups in the Claim Names section.
  10. Click Save Configuration.

Note: Based on your IdP configuration you may need additional claim names or scopes. Consult your IdP administrator for additional guidance.

Configure your Authorization Policy

Once you’ve configured your custom identity provider in Endor Labs you must setup an authorization policy for your users and groups.

To configure an authorization policy:

  1. Sign in to Endor Labs.
  2. From the sidebar, navigate to Settings and click Auth Policy.
  3. Click the Add Auth Policy button.
  4. Enter the name you selected for your custom identity provider as your identity provider.
  5. Select the permissions you’d like to assign your user or group.
  6. Under claims update your Key. Use email to assign individual users via email or groups to assign a user by group.
  7. Assign the value to the key as the email of the user or group you would like to authorize. This value is case-sensitive.
  8. Repeat as needed for any additional users or groups.

Verify Sign-in

Use the user account to sign in to Endor Labs from your IdP and validate the SSO integration.

  1. Sign in to IdP as a user.
  2. Navigate to https://app.endorlabs.com
  3. Click Login with Enterprise SSO
  4. Enter the namespace you’d like to sign in to within Endor Labs.

For Okta-specific instructions, see SSO using Okta

1 - Set up Okta for SSO using SAML

Learn how to setup Okta as a custom external identity provider for SSO with Endor Labs

Endor Labs integrates with Okta to use SSO through either Security Assertion Markup Language (SAML) protocol.

With the Endor Labs-Okta SAML integration, Endor Labs acts as the Service Provider (SP), and Okta acts as the Identity Provider (IdP). When users sign in to Endor Labs using the SAML authentication method, the IdP (Okta) sends a SAML assertion to the browser that is passed to the SP (Endor Labs). This enables Okta to establish a secure connection with the browser and then authenticate the users to sign in to Endor Labs.

The following high level steps allow you to successfully configure Okta for SSO through SAML:

Create and configure a SAML application in Okta

In Okta, configure the Endor Labs application as a SAML 2.0 application and generate a single sign-on URL and certificate.

  1. Sign in to the Okta admin account.

  2. Go to Applications > Applications.

  3. To create an app integration, click Create App Integration.

  4. Select SAML 2.0 and click Next.

  5. Enter the following details in General Settings and click Next.

    • App Name: Enter Endor Labs.
    • App Logo (optional): Upload the Endor Labs logo in PNG, JPG, or GIF format. The logo size must be less than 1 MB.
    • App Visibility (optional): Select this option to hide the Endor Labs icon from users in the Okta dashboard.
  6. Enter the following in SAML Settings.

    • Single sign-on URL: Enter https://api.endorlabs.com/v1/auth/saml-callback?tenant=yourtenant. Replace yourtenant at the end with your actual tenant name.
    • Audience URI: Enter https://api.endorlabs.com/v1/auth/sso
    • Relay State: Leave this field empty
    • Name ID format: Select Unspecified.
    • Application username: Select Email.
    • Update application username on: Ensure Create/Update is selected.
  7. Click Show Advanced Settings and ensure the following default details are set:

    • Response: Select Signed.
    • Assertion Signature: Select Signed.
    • Signature Algorithm: Select RSA-SHA256.
    • Digest Algorithm: Select SHA256.
    • Assertion Encryption: Select Unencrypted
  8. Configure your attribute statements: Attribute statements are specific properties associated with individual users and are used for including user provisioning, access control, or user profile management. To configure each individual user in Endor Labs you can use Attribute Statements. To configure users using Okta groups, such as groups integrated with Active Directory accounts use Group Attribute Statements.

    1. Enter the following details in Attribute Statements for individual authorization:
      • Name: Enter email.
      • Name format: Select Basic.
      • Values: Select user.email.
    2. Enter the following details in Group Attribute Statements for group authorization:
      • Name: Enter groups.
      • Name format: Select Basic.
      • Filter: As a best pracitce, filter the groups being sent by choosing one of the following options.
        • Select Matches regex and a enter a regular expression to specify groups.
        • Select Starts With to filter groups based on a prefix, sending only groups that begin with the specified string.
  9. Click Next.

  10. Select I’m a Okta customer adding an internal app, and click Finish.

Assign the appropriate users and groups to the application

Once you’ve created your Application you need to assign the appropriate users and groups as assignments.

  1. Select Assignments in your newly created application.
  2. Click Assign and select Assign to people or Assign to groups** if you are configuring group authorization.
  3. Search for and select the group you’d like to assign and click Done.

Get Identity Provider details from Okta

Once you’ve created your Okta app and assigned groups you must retrieve your Okta the Okta identity provider SSO details to configure Okta in Endor Labs.

  1. Select Sign On.
  2. From Metadata Details, copy the Metadata URL.
  3. Save the following details and have them handy if you’d like to manually configure SAML:
    • Sign-On URL: The SAML SSO URL of Okta.
    • Issuer: The unique ID of Okta for Endor Labs.
    • Signing Certificate: The public key certificate of Okta.

Configure Okta SSO in Endor Labs

Provide the Identity Provider SSO details to configure Okta SSO in Endor Labs and allow users to seamlessly and securely sign in to Endor Labs.

  1. Sign in to Endor Labs.
  2. From the sidebar, navigate to Settings and click CUSTOM IDENTITY PROVIDER.
  3. Select the TYPE OF IDENTITY PROVIDER as SAML.
  4. Enter the IDENTITY PROVIDER NAME as Okta SAML.
  5. From METADATA DEFINITION, select Metadata URL and enter the Metadata URL that you downloaded from Okta.
  6. If you want to manually enter the identity provider details, choose METADATA DEFINITION as Manual and enter the following details, you saved from Okta. See Get Identity Provider details from Okta
    • DISCOVERY URL: Enter Sign-On URL from Okta.
    • ISSUER: Enter Issuer from Okta.
    • ATTRIBUTES: Enter your attributes such as email, groups, or more. Type the values and press enter.
    • CERTIFICATE: Enter the Signing Certificate from Okta.
  7. Under Attributes enter email and groups, Press enter after each entry to add each attribute.
  8. Click Save Configuration.

Configure your Authorization Policy

Once you’ve configured your custom identity provider in Endor Labs you must configure an authorization policy for your users and groups. You must be an Endor Labs administrator to configure custom identity providers and authorization policies. To set up an authorization policy:

  1. Sign in to Endor Labs.
  2. From the sidebar, navigate to Settings and click Auth Policy.
  3. Click the Add Auth Policy button.
  4. Enter Okta SAML as your identity provider.
  5. Select the permissions you’d like to assign your user or group.
  6. Under claims update your Key. Use email to assign individual users via email or groups to assign a user by group.
  7. Assign the value to the key as the email of the user or group you would like to authorize. This value is case-sensitive.
  8. Repeat as needed for any additional users or groups.

2 - Set up Okta for SSO using OIDC

Learn how to setup Okta as a custom external identity provider for SSO with Endor Labs

Endor Labs integrates with Okta to use SSO through OpenID Connect (OIDC) protocol.

The following high level steps allow you to successfully configure Okta for SSO through OIDC:

Create and configure an OIDC application in Okta

In Okta, configure the Endor Labs application as an OIDC application and generate a single sign-on URL and certificate.

  1. Sign in to the Okta admin account.

  2. Go to Applications > Applications.

  3. To create an app integration, click Create App Integration.

  4. Select OIDC - OpenID Connect

  5. Under Application type select Web Application and click Next.

  6. Enter the following details in General Settings and click Next.

    • App integration name: Enter Endor Labs.
    • App Logo (optional): Upload the Endor Labs logo in PNG, JPG, or GIF format. The logo size must be less than 1 MB.
    • Sign-in redirect URIs: Enter https://api.endorlabs.com/v1/auth/oidc/callback
    • Sign-out redirect URIs: Enter https://api.endorlabs.com/v1/auth/oidc/logout
    • Under Assignments: Select if you’d like to assign all users or only a specified group then click Save
  7. Once you’ve setup your application some additional configuration is required. Navigate to Okta API Scopes in the application.

  8. Grant access to okta.groups.read to allow group assignments and okta.users.read and select Grant.

  9. Navigate to Sign On

  10. Under OpenID Connect ID Token select Edit

  11. Select Groups claim type as Filter and ensure groups is selected with the Matches Regex filter of .* or a regex matching your group or groups name.

  12. Click Save Configuration.

Assign the appropriate users and groups to the application

Once you’ve created your Application you need to assign the appropriate users and groups as assignments.

  1. Select Assignments in your newly created application.
  2. Click Assign and select Assign to people or Assign to groups** if you are configuring group authorization.
  3. Search for and select the group you’d like to assign and click done.

Get Identity Provider details from Okta

Once you’ve created your Okta app and assigned groups you must retrieve your Okta the Okta identity provider SSO details to configure Okta in Endor Labs.

  1. Select Sign On.
  2. From Metadata Details, copy the Metadata URL.
  3. Save the following details and have them handy if you’d like to manually configure SAML:
    • Sign-On URL: The SAML SSO URL of Okta.
    • Issuer: The unique ID of Okta for Endor Labs.
    • Signing Certificate: The public key certificate of Okta.

Configure Okta OIDC SSO in Endor Labs

Provide the Identity Provider SSO details to configure Okta SSO in Endor Labs and allow users to seamlessly and securely sign in to Endor Labs.

  1. Sign in to Endor Labs.
  2. From the sidebar, navigate to Access Control under Manage and click CUSTOM IDENTITY PROVIDER.
  3. Select the TYPE OF IDENTITY PROVIDER as OIDC.
  4. Enter the IDENTITY PROVIDER NAME as Okta OIDC.
  5. Under DISCOVERY URL enter your discovery URL. This is usually your Okta domain followed by /.well-known/openid-configuration. For example, https://endorlabs.okta.com/.well-known/openid-configuration.
  6. Enter your Client ID and Client Secret from Okta.
  7. Under Advanced Configuration enter the following scopes in the scopes section: email, groups, profile. Press enter after every entry to add each attribute successfully.
  8. If you are configuring group-based authentication ensure to add groups in the Claim Names section.
  9. Click Save Configuration.

Note: Based on your Okta configuration you may need additional claim names or scopes. Consult your Okta administrator for additional guidance.

Configure your Authorization Policy

Once you’ve configured your custom identity provider in Endor Labs you must configure an authorization policy for your users and groups.

To set up an authorization policy:

  1. Sign in to Endor Labs.
  2. From the sidebar, navigate to Access Control under Manage and click Auth Policy.
  3. Click the Add Auth Policy button.
  4. Enter Okta OIDC as your identity provider.
  5. Select the permissions you’d like to assign your user or group.
  6. Under claims update your Key. Use email to assign individual users via email or groups to assign a user by group.
  7. Assign the value to the key as the email of the user or group you would like to authorize. This value is case-sensitive.
  8. Repeat as needed for any additional users or groups.