Okta

Follow these instructions for integrating Okta's SAML authentication with LogScale, including step-by-step guidance for creating and configuring an Okta application, setting up SAML attributes, and establishing the necessary connection parameters. The guide covers essential security requirements, configuration steps for both LogScale Cloud and self-hosted installations, and advanced features such as customizing email invite addresses through Okta's mapping mechanisms.

LogScale allows for the integration of many applications. If you want to integrate Okta into LogScale, you can do so by creating an application (i.e., an app) in Okta. To do this, you'll have to use Okta's system, in particular the SAML (Security Assertion Markup Language) section. This is used to authenticate and authorize the app.

Creating an App in Okta

From the main page of the Okta user interface:

  1. Click on Admin. This will bring you to the Admin Dashboard. From there, go to applications by clicking the button labeled Applications in the header.

  2. Next, click on the button labeled, Add Application. Then click on the button labeled, Create New App. You'll see a box similar to the one in Figure 53, “Creating an App in Okta”. Incidentally, you can click on any image on this page to enlarge it. Now, choose Web as the platform to use and select SAML 2.0 for the sign-on method. Then click, Create.

    Screenshot of the Okta 'Create a New Application Integration' dialog box showing the initial setup screen for creating a LogScale application. The image displays the application creation interface where administrators must select 'Web' as the platform and 'SAML 2.0' as the sign-on method before clicking the 'Create' button. This is the first critical step in configuring Okta as an identity provider for LogScale, initiating the process of establishing SAML-based single sign-on between the two systems. The dialog shows the platform options and authentication protocol selection required to properly define LogScale as a service provider within Okta's identity management system.

    Figure 53. Creating an App in Okta


  3. You'll now be asked to give your application a name. Name it LogScale. You can also upload an image for the login button. You can use our logo for this purpose:

    When you're finished, click Next to continue.

  4. You should be on the SAML Settings configuration section. In the General area, you will need to set a few values to tell Okta how to connect to LogScale. The table below lists all of the fields you'll need to set, and the values to give them:

    Screenshot of the Okta SAML Settings configuration interface where administrators configure the connection parameters between Okta and LogScale. The image shows the form fields that must be populated with specific LogScale endpoint values, including 'Single Sign on URL', 'Name ID Format' (set to EmailAddress), and 'Application Username' (set to Email). These precise configuration values establish the trust relationship between Okta as the identity provider and LogScale as the service provider, defining how authentication requests and assertions are exchanged between the two systems.

    Figure 54. Create New App


    Field Value
    Single Sign on URL http(s)://$YOUR_LOGSCALE_URL/api/v1/saml/acs
    Audience URI (SP Entity ID) http(s)://$YOUR_LOGSCALE_URL/api/v1/saml/metadata
    Name ID Format EmailAddress
    Application Username Email

    To understand better where these values are entered, you can see an example in the screenshot shown in Figure 54, “Create New App”.

  5. Next, you'll have to add a single attribute in the Group Attribute Statements area of the SAML settings configuration. Set its Name to a value of group, with the Name format set to Basic. Set the Filter to Matches regex with the value as .* When you're finished doing all of that, click Next.

    Screenshot of the Okta SAML configuration interface showing the Group Attribute Statements section. The interface displays form fields for configuring how group membership information is transferred to LogScale, with the Name field set to 'group', Name format set to 'Basic', and Filter set to 'Matches regex' with a value of '.*'. This configuration ensures that all user group assignments in Okta are properly passed to LogScale during authentication, enabling correct permission mapping between the systems.

    Figure 55. Group Attribute Statements


  6. For the Feedback step, choose I'm an Okta customer adding an internal app — assuming you are one. Check the box where it says, This is an internal app that we have created. When you've done this, click the button labeled, Finish.

  7. On the next page, you should see a detailed view of the application you just created. On that page, click View Setup Instructions. This will provide you with three key pieces of information you'll need to configure LogScale to work with Okta:

    • the Identity Provider Single Sign-On URL

    • the Identity Provider Issuer

    • the X.509 Certificate

    You can see all of this in Figure 56, “Configuring LogScale”. Leave that page open for reference for when you're configuring LogScale in a moment.

    Screenshot of the SAML configuration setup page showing the essential integration parameters needed to connect LogScale with an identity provider. The interface displays three critical configuration fields: the Identity Provider Single Sign-On URL, Identity Provider Issuer, and X.509 Certificate content area. These fields must be populated with values obtained from the chosen identity provider (such as ADFS) to establish secure SAML authentication. This configuration screen appears during the final step of SAML integration when transferring the identity provider's connection details to LogScale.

    Figure 56. Configuring LogScale


At this point, Okta is configured to work with LogScale. However, there is a little more to do, but mostly on your LogScale system.

Configuring LogScale for Okta

After you have prepared Okta for integrating with LogScale, you'll need to configure LogScale.

To configure Okta to work with LogScale, you must set the configuration variables as described in Configure SAML for LogScale Self-Hosted.

When you've finish preparing LogScale, go to the Sign On tab in Okta. In the Settings section, click on Edit. This will provide you an input box labeled, Default Relay State. Paste the Integration URL for LogScale into that field and save when done.

You'll need to give users in Okta permissions to use the app. Assign the application to any users or groups you want to have access to LogScale. See Okta's instructions on how to do this. Otherwise, if everything went according to the instructions on this page, you're now ready to use Okta with LogScale.

Customizing Email Invite Address

The email address that Okta sends to the user as the login email to use for authentication with LogScale can be modified. This is useful if emails change, domains change, or if there are multiple email domains and want to use a single domain as the identifying email address.

To achieve this, the email address must be transformed as part of the mapping process within your Okta configuration:

  1. Go to the Okta configuration and choose Profile EditorLogScale AppMappingsOkta to LogScale.

  2. Edit the mapping using the Okta expressions mechanisms. In the example below, the domain name is being stripped from the email address (after the @) and then reconstructed to the new email address: 

    String.substringBefore(source.email, "@")+"-"+$appuser"+"@"+String.substringAfter(source.email, "@")

For more information on expressions, see Modify attributes with expressions and Okta Expression Language overview guide Okta documentation pages.