Endor Labs integrates with Okta to use SSO through OpenID Connect (OIDC) protocol.
The following high level steps allow you to successfully configure Okta for SSO through OIDC:
- Create and configure an OIDC application in Okta
- Assign the appropriate users and groups to the application
- Get Identity Provider details from Okta
- Configure Okta OIDC SSO in Endor Labs
- Configure your Authorization Policy
Create and configure an OIDC application in Okta
In Okta, configure the Endor Labs application as an OIDC application and generate a single sign-on URL and certificate.
Tip
You must be an Okta administrator to configure the application end-to-end in Okta.-
Sign in to the Okta admin account.
-
Go to Applications > Applications.
-
To create an app integration, click Create App Integration.
-
Select OIDC - OpenID Connect
-
Under Application type select Web Application and click Next.
-
Enter the following details in General Settings and click Next.
- App integration name: Enter Endor Labs.
- App Logo (optional): Upload the Endor Labs logo in PNG, JPG, or GIF format. The logo size must be less than 1 MB.
- Sign-in redirect URIs: Enter
https://api.endorlabs.com/v1/auth/oidc/callback
- Sign-out redirect URIs: Enter
https://api.endorlabs.com/v1/auth/oidc/logout
- Under Assignments: Select if you’d like to assign all users or only a specified group then click Save
-
Once you’ve setup your application some additional configuration is required. Navigate to Okta API Scopes in the application.
-
Grant access to
okta.groups.read
to allow group assignments andokta.users.read
and select Grant. -
Navigate to Sign On
-
Under OpenID Connect ID Token select Edit
-
Select Groups claim type as Filter and ensure groups is selected with the Matches Regex filter of .* or a regex matching your group or groups name.
-
Click Save Configuration.
Assign the appropriate users and groups to the application
Once you’ve created your Application you need to assign the appropriate users and groups as assignments.
- Select Assignments in your newly created application.
- Click Assign and select Assign to people or Assign to groups** if you are configuring group authorization.
- Search for and select the group you’d like to assign and click done.
Get Identity Provider details from Okta
Once you’ve created your Okta app and assigned groups you must retrieve your Okta the Okta identity provider SSO details to configure Okta in Endor Labs.
- Select Sign On.
- From Metadata Details, copy the Metadata URL.
- Save the following details and have them handy if you’d like to manually configure SAML:
- Sign-On URL: The SAML SSO URL of Okta.
- Issuer: The unique ID of Okta for Endor Labs.
- Signing Certificate: The public key certificate of Okta.
Configure Okta OIDC SSO in Endor Labs
Provide the Identity Provider SSO details to configure Okta SSO in Endor Labs and allow users to seamlessly and securely sign in to Endor Labs.
Tip
You must be an Endor Labs administrator to configure custom identity providers and authorization policies.- Sign in to Endor Labs.
- From the sidebar, navigate to Access Control under Manage and click CUSTOM IDENTITY PROVIDER.
- Select the TYPE OF IDENTITY PROVIDER as OIDC.
- Enter the IDENTITY PROVIDER NAME as Okta OIDC.
- Under DISCOVERY URL enter your discovery URL. This is usually your Okta domain followed by /.well-known/openid-configuration. For example, https://endorlabs.okta.com/.well-known/openid-configuration.
- Enter your Client ID and Client Secret from Okta.
- Under Advanced Configuration enter the following scopes in the scopes section: email, groups, profile. Press enter after every entry to add each attribute successfully.
- If you are configuring group-based authentication ensure to add groups in the Claim Names section.
- Click Save Configuration.
Note: Based on your Okta configuration you may need additional claim names or scopes. Consult your Okta administrator for additional guidance.
Configure your Authorization Policy
Once you’ve configured your custom identity provider in Endor Labs you must configure an authorization policy for your users and groups.
To set up an authorization policy:
- Sign in to Endor Labs.
- From the sidebar, navigate to Access Control under Manage and click Auth Policy.
- Click the Add Auth Policy button.
- Enter Okta OIDC as your identity provider.
- Select the permissions you’d like to assign your user or group.
- Under claims update your Key. Use email to assign individual users via email or groups to assign a user by group.
- Assign the value to the key as the email of the user or group you would like to authorize. This value is case-sensitive.
- Repeat as needed for any additional users or groups.