The purpose of this article is to demonstrate how to setup Single Sign On via SAML with Okta to be used with OverOps and to be able to control which roles users will be assigned to based on group level access in Okta.
Please reference the following documents for information regarding SAML:
- From the Applications section, click on Add Application.
- Click on Create New App.
- Ensure to have selected the following:
- Platform: Web
- Sign on method: SAML 2.0
Then click on Create.
- Enter the SAML Settings that will be used for your environment:
- For SaaS environment: https://app.overops.com/saml/
- For On premise environment: http(s)://<BACKEND_ADDRESS>:8080/saml/global
Enter other settings as noted in screenshot. Ensure to enter the role attribute as this will be used later to assign specific users to certain environments within Overops.
For this example, we will use http://mytest.local:8080/saml/global for demonstration purposes.
- Select the following options:
- Are you a customer or partner?: I’m an Okta customer adding an internal app
- App type: This is an internal app that we have created
- Once your new OverOps application is loaded, click on the Sign On tab, then click on View Setup Instructions.
- Scroll down to the bottom of the page to see your new metadata under the Optional section to be used for your environment. Highlight and copy the data inside this box.
NOTE: Ensure that there are no line breaks or paragraph breaks BEFORE using this. Instructions on how to use this for on-prem solutions can be viewed by here: SAML Configuration for On-Premises
- Assign users to the OverOps application to test with. Click on Assign->Assign People->next to user click Assign->click Save and Go Back->Done
- Open a new browser page and type the backend address in the address field (i.e. http://mytest.local:8080). Test your login credentials for the user you have created to test with.
- Create different groups for each environment to be used within your OverOps. This will serve for different roles that can be used in OverOps (Admin, Member, Viewer).
For this example, we will use TestKey01 and AnotherTestKey02 as names for the OverOps environments. We will create different groups within Okta that will serve for Admin, Member, and Viewer for each environment. We also assigned a test user to be provided Member access to TestKey01 and Viewer access to AnotherTestKey02.
- Go to the Applications section, select Groups and assign the OverOps application to each group to be used to access the OverOps environment.
NOTE: If the following screen comes up, leave blank, then click Save and Go Back.
Scroll your mouse over the Directory section, then click on Profile Editor.
Click Profile next to your OverOps application.
- Click on Add Attribute.
- Enter the role attribute with fields as shown in screenshot below, then click Save.
- Go back to the Profile Editor section. Click on Mappings next to the OverOps application.
On the top of the page, click Okta User to (i.e. OverOpsTest).
Map the groups users will need access to next to the new role attribute using the following syntax:
String.join(", ", isMemberOfGroupName("<S2AdminGroupName>") ? "<NameofEnvironment1> Admin" : null, isMemberOfGroupName("<S2MemberGroupName>") ? "<NameofEnvironment1> Member" : null, isMemberOfGroupName("<S2ViewerGroupName>") ? "<NameofEnvironment1> Viewer" : null, isMemberOfGroupName("<S3AdminGroupName>") ? "<NameofEnvironment2> Admin" : null, isMemberOfGroupName("<S3MemberGroupName>") ? "<NameofEnvironment2> Member" : null, isMemberOfGroupName("<S3ViewerGroupName>") ? "<NameofEnvironment2> Viewer" : null)
For this example, using the following string command:
String.join(", ", isMemberOfGroupName(“TestKey01_Admin_Group”) ? “TestKey01 Admin” : null, isMemberOfGroupName(“TestKey01_Member_Group”) ? “TestKey01 Member” : null, isMemberOfGroupName(“TestKey01_Viewer_Group”) ? “TestKey01 Viewer” : null, isMemberOfGroupName(“AnotherTestKey02_Admin_Group”) ? “AnotherTestKey02 Admin” : null, isMemberOfGroupName(“AnotherTestKey02_Member_Group”) ? “AnotherTestKey02 Member” : null, isMemberOfGroupName(“AnotherTestKey02_Viewer_Group”) ? “AnotherTestKey02 Viewer” : null)
- Click on arrow next to string and select Apply mapping on user create and update.
- Click on the Preview field on the bottom of the page and enter a user account that has at least one of the groups assigned to the account. This will return the value of the groups the user is assigned to.
On the bottom of the page, click Exit Preview, then click on Save Mappings.
From the Applications section, go to the OverOps applications, select Sign On tab, click on Update Now to update users with their newly assigned groups.
- Sign in the dashboard as the test user to view each environment to confirm the appropriate access has been provided.