Set up SSO

Set up single sign-on (SSO) to let Identity Providers (IdPs) authenticate users.

This page is intended for Organization Admins and Organization Billing Admins. For conceptual information about managing users and roles and possible setups, visit User and role management.

Overview

SSO helps make user management efficient and secure. With SSO, an IdP – for example, Okta – authenticates users. Users can then log into Cloud Observability with their IdP credentials.

Cloud Observability supports SSO with OAuth2 for Google, and SSO with Security Assertion Markup Language (SAML) for Microsoft Entra ID (formerly Azure AD), Okta, and OneLogin.

Google

With SSO, users can sign into Cloud Observability with their managed Google credentials. In other words, they can click Sign in with Google without a second sign-in.

Follow these steps to set up SSO for Cloud Observability:

1. Sign into your Google Admin console as an administrator.
2. In the sidebar, click Security > Access and data control > API controls.
3. On the API controls page, click Manage Third-Party App Access.
4. Click the Add app drop-down and select OAuth App Name or Client ID.
5. Enter the client ID below, click Search, and then click Select next to the Cloud Observability app.

   1
   746217134341-pp9knfd5e0b6b6n84jg3cjd5hsuguuot.apps.googleusercontent.com
   

6. Check OAuth Client ID, click Select, check Limited, and then click Configure to save your changes and return to the API controls page.

You can revisit your settings by going to the API controls page and clicking Manage Third-Party App Access > Cloud Observability.

Microsoft Entra ID (formerly Azure AD)

Integrate with Microsoft Entra ID to provide SSO for Cloud Observability users.

Prerequisites

You need the following to integrate Cloud Observability with Microsoft Entra ID:

• A Microsoft Entra ID admin account in an organization with SAML privileges.
• A Cloud Observability Organization Admin user.

• A Cloud Observability default user role.

  Cloud Observability assigns the default role to all Microsoft Entra ID users.

Step 1: Configure Cloud Observability in Microsoft Entra ID

1. In Microsoft Entra ID, go to the Enterprise applications page.

2. To add Cloud Observability, click New application and then Create your own application. Enter Cloud Observability for the name and click Create.

   Cloud Observability is now an application in Microsoft Entra ID.

3. In the sidebar, click Single sign-on and then select the SAML card.

4. Click to edit the Basic SAML Configuration panel and enter these values:

   • Identifier

     1
     2
        https://app.lightstep.com/saml/metadata
        # https://app.eu.lightstep.com/saml/metadata # EU data center
     

   • Reply URL

     1
     2
       https://app.lightstep.com/api/v1/authentication/sso/saml_callback
       # https://app.eu.lightstep.com/api/v1/authentication/sso/saml_callback # EU data center
     

   • Sign on URL

     1
     2
       https://app.lightstep.com/api/v1/authentication/sso/saml_callback?RelayState=
       # https://app.eu.lightstep.com/api/v1/authentication/sso/saml_callback?RelayState= # EU data center
     

   • Relay State

     Leave this input blank. You’ll generate and enter the Relay State value in the next step.

5. Click Save.

Step 2: Enable SSO

Follow these steps to configure communication between Microsoft Entra ID and Cloud Observability:

1. On the same Single sign-on page in Microsoft Entra ID, scroll down to the SAML Certificates card and click Download next to Federation Metadata XML.
2. In a new tab, open Cloud Observability:
   1. Click Settings > User management > Single sign-on (SSO).
   2. Paste the XML from the Federation file into the SSO For SAML input.
   3. Click Save.
   4. Copy the RelayState value to your clipboard.
3. Back in Microsoft Entra ID, edit the Basic SAML Configuration panel and paste your RelayState value in the Relay State field. Click Save.

Step 3: Create and assign groups

Follow the steps below to create a Microsoft Entra ID group and assign Cloud Observability users to that group. You then add that group to the Cloud Observability application.

1. In Microsoft Entra ID, navigate to All groups and create a new security group:
   1. Click New group.
   2. For Group type, select Security.
   3. For Group name, enter Cloud Observability users.
   4. Add users to your group and click Create.
2. Return to the Enterprise applications page and click your Cloud Observability application.
3. In the sidebar, click Users and groups and assign the group you created.

You’re all set. Users can now sign into Cloud Observability from Cloud Observability’s SAML SSO sign-in tab.

Okta

Set up SSO with Okta to let Okta authenticate, authorize, and manage Cloud Observability users.

Supported features

The Okta integration uses System for Cross-domain Identity Management (SCIM) to sync user information between Cloud Observability and Okta.

Once you set up the integration, Okta Admins can provision, de-provision, and update Cloud Observability users in Okta. New Cloud Observability users are assigned the default role. And they can sign into Cloud Observability from Okta or Cloud Observability.

Prerequisites

To complete the steps below, you need an Admin Okta account in an organization with SCIM provisioning privileges.

In Cloud Observability, you must be an Organization Admin. You also need the following:

• API key with Organization Admin privileges.
• Default role for new users.

Step 1: Add Cloud Observability to Okta

In August 2023, Lightstep became Cloud Observability. The Okta integration uses the Lightstep name, but it works with Cloud Observability.

Follow these steps to add the Cloud Observability integration to Okta:

1. Visit the Lightstep integration page and click Add Integration.
2. On the Add Lightstep page, enter Cloud Observability as the Application label.
3. Click Done to access the Cloud Observability configuration page in Okta.

Step 2: Configure the integration

Follow these steps to connect Okta to your Cloud Observability organization and let Okta manage users:

1. Set the user identifier to email:

   1. On the Cloud Observability configuration page in Okta, click Sign On > Edit.
   2. Click the Application username format drop-down and select Email.
   3. Click Save to implement your changes.

2. Connect Okta to your Cloud Observability organization:

   1. On the Cloud Observability configuration page in Okta, click Provisioning > Configure API Integration > Enable API integration and fill out the form:

      • Base URL - Enter https://api.lightstep.com/public/v0.2/YOUR-ORG and replace YOUR-ORG with your Cloud Observability organization name.

        EU data center customers, use https://api.eu.lightstep.com/public/v0.2/YOUR-ORG

      • API Token - Enter your Cloud Observability API key.

   2. Click Test API Credentials. Okta displays Lightstep was verified successfully! when it connects to your Cloud Observability organization.
   3. Click Save to implement your changes.

3. Let Okta create, update, and deactivate Cloud Observability users:

   1. In the same Provisioning tab, click To App > Edit.
   2. Select Create Users, Update User Attributes, and Deactivate Users.
   3. Click Save to implement your changes.

Rotating API keys

Rotate your API keys regularly to keep applications secure. Follow these steps to rotate the Cloud Observability API key in Okta:

1. In Cloud Observability, create and copy a new API key.
2. In Okta, go to the Cloud Observability application and click Provisioning > Integration > Edit.
3. Paste your new API key in the API Token field and click Save.
4. Back in Cloud Observability, revoke the original API key to prevent security breaches.

Expandable end

Step 3: Enable SSO

With SSO, users can sign in from Okta or Cloud Observability. Follow these steps to enable SSO:

1. On the Cloud Observability configuration page in Okta, click Sign On.
2. Under Metadata details, visit the Metadata URL and copy the XML file.
3. Add the XML file to Cloud Observability and get your RelayState value:
   1. In Cloud Observability, click Settings > User management > Single sign-on (SSO).
   2. Paste the XML file in the SSO For SAML input.
   3. Click save to enable SSO. Cloud Observability displays SSO Configuration Saved.
   4. On the same page, copy the RelayState value.
4. Back in Okta’s Sign On tab, click Edit and paste that value in the Default Relay State input.
5. Click Save.

You’re all set. You can now assign users to your Cloud Observability integration in Okta. Users can then sign into Cloud Observability from the Okta dashboard or Cloud Observability’s SAML SSO sign-in tab.

OneLogin

Integrate with OneLogin to let OneLogin handle user authentication.

Supported features

Cloud Observability supports these SAML features:

• IdP-initiated SSO: Users log into OneLogin and click the Cloud Observability app to sign in.
• Service-provider-initiated SSO: Users log into Cloud Observability, and OneLogin authenticates the user.
• JIT (Just In Time) Provisioning: Once users are assigned to Cloud Observability in OneLogin, they can provision a new Cloud Observability account upon first login.

Prerequisites

You need the following to integrate Cloud Observability with OneLogin:

• A OneLogin admin account in an organization with SAML privileges.
• A Cloud Observability Organization Admin user.

• A Cloud Observability default user role.

  Cloud Observability assigns the default role to all Microsoft Entra ID users.

Step 1: Configure Cloud Observability in OneLogin

In August 2023, Lightstep became Cloud Observability. The OneLogin integration uses the Lightstep name, but it works with Cloud Observability.

1. From the Admin Portal in OneLogin, add the Lightstep application to your OneLogin account.
2. Click the Lightstep application to configure the application.
3. In the upper right, under More Actions, click SAML metadata and copy the XML blog to your clipboard.
4. In Cloud Observability:
   1. Click Settings > User management > Single sign-on (SSO).
   2. Paste the XML blob into the SSO For SAML box and click Save.
   3. On the same page, copy the RelayState value.
5. Back in OneLogin, go to the Configuration tab, paste the RelayState value into the Default Relay State field, and save.

Step 2: Assign roles and users

Assign OneLogin roles or users to Cloud Observability to let users sign into Cloud Observability from OneLogin or Cloud Observability.

Assign OneLogin roles to Cloud Observability:

In OneLogin, go to the Access tab and select the roles to have Cloud Observability access.

Assign OneLogin users to Cloud Observability:

1. In OneLogin, go to the users page and search for the user you want to assign to Cloud Observability.
2. In their profile, click Applications.
3. Click + next to Applications, select Lightstep from the dropdown, and click Continue to give the user access.

You’re all set. The assigned users can now sign into Cloud Observability from OneLogin or from Cloud Observability’s SAML SSO sign-in tab.

See also

User and role management

Roles and permissions

Set up JIT provisioning

Updated Feb 26, 2024