Configure SAML single sign-on with Okta
You can configure your ExtraHop system to enable users to log in to the system through the Okta identity management service.
Before you begin
- You should be familiar with administrating Okta. These procedures are based on the Okta Classic UI. If you are configuring Okta through the Developer Console, the procedure might be slightly different.
- You should be familiar with administrating ExtraHop systems.
These procedures require you to copy and paste information between the ExtraHop system and the Okta Classic UI, so it is helpful to have each system open side-by-side.
Enable SAML on the ExtraHop system
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the Access Settings section, click Remote Authentication.
- From the Remote authentication method drop-down list, select SAML.
- Click Continue.
- Click View SP Metadata. You will need to copy the ACS URL and Entity ID to paste into the Okta configuration in the next procedure.
Configure SAML settings in Okta
This procedure requires you to copy and paste information between the ExtraHop Admin UI and the Okta Classic UI, so it is helpful to have each UI open side-by-side.
- Log in to Okta.
In the upper-right corner of the page, change the view from
Developer Console to Classic
- From the top menu, click Applications.
- Click Add Application.
- Click Create New App.
- From the Platform drop-down list, select Web.
- For the Sign on method, select SAML 2.0.
- Click Create.
- In the General Settings section, type a unique name in the App name field to identify the ExtraHop system.
- (Optional): Configure the App logo and App visibility fields as required for your environment.
- Click Next.
In the SAML Settings sections, paste the Assertion
Consumer Service (ACS) URL from the ExtraHop system into the Single sign on URL
field in Okta.
Note: You might need to manually edit the ACS URL if the URL contains an unreachable hostname, such as the default system hostname extrahop. We recommend that you specify the fully qualified domain name for the ExtraHop system in the URL.
- Paste the SP Entity ID from the ExtraHop system into the Audience URI (SP Entity ID) field in Okta.
- From the Name ID format drop-down list, select Persistent.
- From the Application username drop-down list, select a username format.
In the Attribute Statements section, add the following
attributes. These attributes identify the user throughout the ExtraHop system.
Name Name format Value urn:oid:0.9.2342.19200300.100.1.3 URI Reference user.email urn:oid:188.8.131.52 URI Reference user.lastName urn:oid:184.108.40.206 URI Reference user.firstName
In the Group Attribute Statement section, type a string in
the Name field and configure a filter. You will specify the
group attribute name when you configure user privilege attributes on the
The following figure shows a sample configuration.
Click Next and then click
You are returned to the Sign On settings page.
In the Settings section, click View Setup
A new browser window opens and displays information that is required to configure the ExtraHop system.
Assign the ExtraHop system to Okta groups
We assume that you already have users and groups configured in Okta. If you do not, refer to the Okta documentation to add new users and groups.
- From the Directory menu, select Groups.
- Click the group name.
- Click Manage Apps.
- Locate the name of the application you configured for the ExtraHop system and click Assign.
- Click Done.
Add identity provider information on the ExtraHop system
- Return to the Administration settings on the ExtraHop system. Close the Service Provider metadata window if it is still open, and then click Add Identity Provider.
Type a unique name in the Provider Name field. This name appears on the
ExtraHop system login page.
- From Okta, copy the Identity Provider Single Sign-On URL and paste into the SSO URL field on the ExtraHop system.
- From Okta, copy the Identity Provider Issuer URL and paste into the Entity ID field on the ExtraHop system.
- From Okta, copy the X.509 certificate and paste into the Signing Certificate field on the ExtraHop system.
Choose how you would like to provision users from one of the following
- Select Auto-provision users to create a new remote SAML user account on the ExtraHop system when the user first logs in.
- Clear the Auto-provision users checkbox and manually configure new remote users through the ExtraHop Administration settings or REST API. Access and privilege levels are determined by the user configuration in Okta.
- The Enable this identity provider option is selected by default and allows users to log in to the ExtraHop system. To prevent users from logging in, clear the checkbox.
Configure user privilege attributes. You must configure the following set of
user attributes before users can log in to the ExtraHop system through an
identity provider. Values are user-definable; however, they must match the
attribute names that are included in the SAML response from your identity
provider. Values are not case sensitive and can include spaces. For more
information about privilege levels, see Users
and user groups.
Important: You must specify the attribute name and configure at least one attribute value other than No access to enable users to log in.In the examples below, the Attribute Name field is the group attribute configured when creating the ExtraHop application on the identity provider and the Attribute Values are the names of your user groups. If a user is a member of more than one group, the user is granted the most permissive access privilege.
Configure packets and session key access. Configuring packets and session key
attributes is optional and only required when you have a connected Trace
Configure detections access. Configuring detections attributes is optional and
only required when the global
privilege policy is set to Only specified users can view
- Click Save.
- Save the Running Config.
Thank you for your feedback. Can we contact you to ask follow up questions?