Okta

Security Requirements and Controls

Follow these instructions for integrating Okta's SAML authentication with LogScale, including step-by-step guidance for creating and configuring an Okta application, setting up SAML attributes, and establishing the necessary connection parameters. The guide covers essential security requirements, configuration steps for both LogScale Cloud and self-hosted installations, and advanced features such as customizing email invite addresses through Okta's mapping mechanisms.

LogScale allows for the integration of many applications. If you want to integrate Okta into LogScale, you can do so by creating an application (i.e., an app) in Okta. To do this, you'll have to use Okta's system, in particular the SAML (Security Assertion Markup Language) section. This is used to authenticate and authorize the app.

Creating an App in Okta

From the main page of the Okta user interface:

  1. Click on Admin. This will bring you to the Admin Dashboard. From there, go to applications by clicking the button labeled Applications in the header.

  2. Next, click on the button labeled, Add Application. Then click on the button labeled, Create New App. You'll see a box similar to the one in Figure 54, “Creating an App in Okta”. Incidentally, you can click on any image on this page to enlarge it. Now, choose Web as the platform to use and select SAML 2.0 for the sign-on method. Then click, Create.

    Screenshot of the Okta 'Create a New Application Integration' dialog box showing the initial setup screen for creating a LogScale application. The image displays the application creation interface where administrators must select 'Web' as the platform and 'SAML 2.0' as the sign-on method before clicking the 'Create' button. This is the first critical step in configuring Okta as an identity provider for LogScale, initiating the process of establishing SAML-based single sign-on between the two systems. The dialog shows the platform options and authentication protocol selection required to properly define LogScale as a service provider within Okta's identity management system.

    Figure 54. Creating an App in Okta


  3. You'll now be asked to give your application a name. Name it LogScale. You can also upload an image for the login button. You can use our logo for this purpose:

    When you're finished, click Next to continue.

  4. You should be on the SAML Settings configuration section. In the General area, you will need to set a few values to tell Okta how to connect to LogScale. The table below lists all of the fields you'll need to set, and the values to give them:

    Screenshot of the Okta SAML Settings configuration interface where administrators configure the connection parameters between Okta and LogScale. The image shows the form fields that must be populated with specific LogScale endpoint values, including 'Single Sign on URL', 'Name ID Format' (set to EmailAddress), and 'Application Username' (set to Email). These precise configuration values establish the trust relationship between Okta as the identity provider and LogScale as the service provider, defining how authentication requests and assertions are exchanged between the two systems.

    Figure 55. Create New App


    Field Value
    Single Sign on URL http(s)://$YOUR_LOGSCALE_URL/api/v1/saml/acs
    Audience URI (SP Entity ID) http(s)://$YOUR_LOGSCALE_URL/api/v1/saml/metadata
    Name ID Format EmailAddress
    Application Username Email

    To understand better where these values are entered, you can see an example in the screenshot shown in Figure 55, “Create New App”.

  5. Next, you'll have to add a single attribute in the Group Attribute Statements area of the SAML settings configuration. Set its Name to a value of group, with the Name format set to Basic. Set the Filter to Matches regex with the value as .* When you're finished doing all of that, click Next.

    Screenshot of the Okta SAML configuration interface showing the Group Attribute Statements section. The interface displays form fields for configuring how group membership information is transferred to LogScale, with the Name field set to 'group', Name format set to 'Basic', and Filter set to 'Matches regex' with a value of '.*'. This configuration ensures that all user group assignments in Okta are properly passed to LogScale during authentication, enabling correct permission mapping between the systems.

    Figure 56. Group Attribute Statements


  6. For the Feedback step, choose I'm an Okta customer adding an internal app — assuming you are one. Check the box where it says, This is an internal app that we have created. When you've done this, click the button labeled, Finish.

  7. On the next page, you should see a detailed view of the application you just created. On that page, click View Setup Instructions. This will provide you with three key pieces of information you'll need to configure LogScale to work with Okta:

    • the Identity Provider Single Sign-On URL

    • the Identity Provider Issuer

    • the X.509 Certificate

    You can see all of this in Figure 57, “Configuring LogScale”. Leave that page open for reference for when you're configuring LogScale in a moment.

    Screenshot of the SAML configuration setup page showing the essential integration parameters needed to connect LogScale with an identity provider. The interface displays three critical configuration fields: the Identity Provider Single Sign-On URL, Identity Provider Issuer, and X.509 Certificate content area. These fields must be populated with values obtained from the chosen identity provider (such as ADFS) to establish secure SAML authentication. This configuration screen appears during the final step of SAML integration when transferring the identity provider's connection details to LogScale.

    Figure 57. Configuring LogScale


At this point, Okta is configured to work with LogScale. However, there is a little more to do, but mostly on your LogScale system.

Configuring LogScale for Okta

After you've done what needs to be done to prepare Okta for integrating with LogScale, you'll need to configure LogScale. What you'll do will depend on whether you're using LogScale Cloud or are self-hosting LogScale on your own server.

To configure LogScale on your own server, go to the top of this page on Configuring LogScale.

When you've finish preparing LogScale, go to the Sign On tab in Okta. In the Settings section, click on Edit. This will provide you an input box labeled, Default Relay State. Paste the Integration URL for LogScale into that field and save when done.

You'll need to give users in Okta permissions to use the app. Assign the application to any users or groups you want to have access to LogScale. See Okta's instructions on how to do this. Otherwise, if everything went according to the instructions on this page, you're now ready to use Okta with LogScale.

Customizing Email Invite Address

The email address that Okta sends to the user as the login email to use for authentication with LogScale can be modified. This is useful if emails change, domains change, or if there are multiple email domains and want to use a single domain as the identifying email address.

To achieve this, the email address must be transformed as part of the mapping process within your Okta configuration:

  1. Go to the Okta configuration and choose Profile EditorLogScale AppMappingsOkta to LogScale.

  2. Edit the mapping using the Okta expressions mechanisms. In the example below, the domain name is being stripped from the email address (after the @) and then reconstructed to the new email address: 

    String.substringBefore(source.email, "@")+"-"+$appuser"+"@"+String.substringAfter(source.email, "@")

For more information on expressions, see Modify attributes with expressions and Okta Expression Language overview guide Okta documentation pages.