Set up SSO

Set up single sign-on (SSO) to let Identity Providers (IdPs) authenticate users.

This page is intended for Admins and Billing Admins. For conceptual information about managing users and roles and possible setups, visit User and role management.

Overview

SSO helps make user management efficient and secure. With SSO, an IdP – for example, Okta – authenticates users. Users can then log into Cloud Observability with their IdP credentials.

Cloud Observability supports SSO with OAuth2 for Google, and SSO with Security Assertion Markup Language (SAML) for Azure AD, Okta, and OneLogin.

Azure AD

Integrate with Azure Active Directory (AD) to provide SSO for users from the Cloud Observability web UI.

Prerequisites

You’ll need the following to integrate Cloud Observability with Azure AD:

• An admin Azure AD account in an organization with SAML privileges.
• An Admin Cloud Observability user.
• A default user role configured in Cloud Observability. This is the role assigned to all Azure AD users (you can change it in Cloud Observability).

Configure Cloud Observability as an Enterprise Application in Azure AD

1. In Azure AD, navigate to the Enterprise Apps page.

2. To add Cloud Observability, click New Application and then Create Your Own Application. Enter Cloud Observability for the name and click Create.

   Cloud Observability now appears as an application in Azure AD.

3. In the navigation menu, click Single sign-on and then select the SAML card.

4. Click to edit the Basic SAML Configuration panel and enter the following values:

   • Identifier: https://app.lightstep.com/saml/metadata

   • Reply URL: https://app.lightstep.com/api/v1/authentication/sso/saml_callback

   • Sign on URL: https://app.lightstep.com/api/v1/authentication/sso/saml_callback?RelayState=

   • Relay State: You will enter this value (generated by Cloud Observability) in a later step.

   

5. Click Save.
   You now need an XML blob to configure communication between Azure AD and Cloud Observability.
6. Scroll down to the SAML Certificates section and download the Federation Metadata XML file.
7. In a new tab, open Cloud Observability and click Account management > Single sign on (SSO).
8. Paste the XML from the Federation file into the IDP metadata (XML) box.
9. Click Save.
   Cloud Observability generates a RelayState value displayed in the RelayState field.
10. Copy the RelayState value to your clipboard.
11. Back in the Basic SAML Configuration panel in Azure AD, paste the RelayState value into the Relay State field and save.

Enable SSO

You now need to create an Azure AD group and assign Cloud Observability users to that group. You then add that group to the Cloud Observability application.

1. In Azure AD, navigate to All Groups and create a new Security Group.

2. Add users to this group (you can add and delete users as needed from here).

3. Back on the Cloud Observability page, select the Users and Groups menu option and assign the group you just created.

Sign in to Cloud Observability

Once you’ve assigned the group to Cloud Observability in Azure AD, users log in directly from Cloud Observability.

With SSO enabled users must sign in from the SAML SSO tab.

1. Navigate to http://app.lightstep.com.
2. Click the SAML SSO tab and enter the email used to create the Cloud Observability user in Azure AD.

Once you assign users to the Cloud Observability security group in Azure AD, you can configure JIT (Just In Time) provisioning in Cloud Observability. Users will be able to create a Cloud Observability account when they log in.

Google

With SSO, users can sign into Cloud Observability with their managed Google credentials. In other words, they can click Sign in with Google without a second sign-in.

Follow these steps to set up SSO for Cloud Observability:

1. Sign into your Google Admin console as an administrator.
2. In the sidebar, click Security > Access and data control > API controls.
3. On the API controls page, click Manage Third-Party App Access.
4. Click the Add app drop-down and select OAuth App Name or Client ID.
5. Enter the client ID below, click Search, and then click Select next to the Cloud Observability app.

   1
   746217134341-pp9knfd5e0b6b6n84jg3cjd5hsuguuot.apps.googleusercontent.com
   

6. Check OAuth Client ID, click Select, check Limited, and then click Configure to save your changes and return to the API controls page.

You can revisit your settings by going to the API controls page and clicking Manage Third-Party App Access > Cloud Observability.

Okta

Cloud Observability provides an integration with Okta that allows Okta to handle user authentication, authorization, and management. Once you integrate with Okta and configure for SSO, users can create Cloud Observability accounts and sign in to Cloud Observability either from Okta (IDP-initiated) or Cloud Observability (SP-Initiated).

The integration uses the System for Cross-domain Identity Management specification (SCIM) to sync user information between Cloud Observability and Okta.

Supported features in Okta

• Provision and de-provision users: Admins can create Cloud Observability accounts from Okta. They are assigned the Cloud Observability default role.
• Update users Admins can update users’ names.

Prerequisites

You’ll need the following to integrate Cloud Observability with Okta:

• An admin Okta account in an organization with SCIM provisioning privileges
• An Admin Cloud Observability Observability user
• A default user role, set in Cloud Observability Observability. This is the role that will be assigned to provisioned users (you can change it in Cloud Observability after provisioning).

• A Cloud Observability API key. The API key must have Admin privileges.

  Be sure to copy and then temporarily store this key once you create it. You need it to integrate with Okta and won’t be able to access it once you close the dialog.

Integrate Cloud Observability with Okta

1. In Okta, add the Cloud Observability application to your Okta account.

2. Set the Application Username format.
   Select the Sign On tab, click Edit, change Application username format to Email, and click Save.

3. Select the Provisioning tab and click Configure API Integration.

4. On this page:
   • Select Enable API integration

   • Enter your organization’s base URL as https://api.lightstep.com/public/v0.2/[your_organization_name]

     Your organization name must match the organization name set up in Cloud Observability.

   • Enter the Cloud Observability API key from the Prerequisites.

     

5. Click Test API Credentials to ensure the integration is successful.

6. Once the integration is successful, click Save.

7. Select To App to configure provisioning:

   • Select Create Users to enable creation of users from Okta.
   • Select Update User Attributes to enable updating of names from Okta.
   • Select Deactivate Users to enable deactivation of users from Okta.

Enable SSO

When you enable SSO, users can sign in and create a Cloud Observability account either from the Okta panel or from Cloud Observability.

An Okta admin must first provision the Cloud Observability app to the Okta user’s account before they can sign in.

To enable SSO:

1. In Okta as an admin, from the Cloud Observability application, select Sign On.
2. Click the Identity Provider metadata link to generate the Identity Provider (IDP) XML key that Cloud Observability will use to communicate with Okta. Copy the key to your clipboard.
3. In Cloud Observability, click Account management > Single sign on (SSO).
4. In the IDP metadata (XML) box, paste in the XML key.
5. Click Save. A RelayState value is generated for you. Copy that value to your clipboard.
6. Back in Okta, paste the RelayState value into the Default Relay State field and click Save.

Provision users in Okta

Users must be assigned the Cloud Observability account in Okta before they can sign in and create a Cloud Observability account.

To assign Cloud Observability to a user:

1. Access the Assignments tab and use the dropdown to select Assign to People or alternatively, assign to group).

2. Search for the user you want to assign and select Assign.

3. Confirm their information and click Save and Go Back.

Once provisioned, you can change a user’s role in Cloud Observability.

Sign in to Cloud Observability from Okta

Once you’ve assigned a user to Cloud Observability in Okta, the Cloud Observability app displays in their Okta dashboard. They can double-click the icon to log into Cloud Observability

Sign in to Cloud Observability from Cloud Observability

Once you’ve assigned a user to Cloud Observability in Okta, they can also log in directly from Cloud Observability.

With SSO enabled users must sign in from the SAML SSO tab.

To sign in from Cloud Observability

1. Navigate to http://app.lightstep.com.
2. Click the SAML SSO tab and enter the email used to create the Cloud Observability user in Okta.

Known issues/troubleshooting

User name updates in Okta are not supported.

OneLogin

Cloud Observability provides an integration with OneLogin that allows OneLogin to handle user authentication. Once you integrate with OneLogin and configure for SSO, users can sign in to Cloud Observability either from OneLogin (IdP-initiated) or Cloud Observability (SP-Initiated).

Supported features

Cloud Observability currently supports the following SAML features:

• IdP-initiated SSO: Users log into OneLogin and then select the Cloud Observability app and are signed in.
• SP-initiated SSO: Users log into Cloud Observability and OneLogin authenticates the user.
• JIT (Just In Time) Provisioning: Once the user is assigned to Cloud Observability in OneLogin, they can provision a new Cloud Observability account upon first login.

Prerequisites

You’ll need the following to integrate Cloud Observability with OneLogin:

• An admin OneLogin account in an organization with SAML privileges.
• An Admin Cloud Observability user.
• A default user role configured in Cloud Observability. This is the role that will be assigned to all OneLogin users (you can change it in Cloud Observability.

Integrate and configure Cloud Observability with OneLogin

1. From the Admin Portal in OneLogin, add the Cloud Observability application to your OneLogin account.
2. Click on the Cloud Observability application to configure the application.
3. In the upper right, under More Actions, click SAML metadata.
   You need an XML blob to configure communication between OneLogin and Cloud Observability.
4. Copy the XML blob to your clipboard.
5. In Cloud Observability, click Account management > Single sign on (SSO).
6. Paste the blob into the IDP metadata (XML) box.
7. Click Save.
   A RelayState value is generated and displayed in the RelayState field.
8. Copy the RelayState value to your clipboard.
9. Back in OneLogin, go to the Configuration tab and paste the RelayState value into the Default Relay State field and save.

Enable SSO

When you enable SSO, users can sign into Cloud Observability either from OneLogin or from Cloud Observability. You can assign Cloud Observability either to roles or to specific users.

To enable SSO for a OneLogin role:
In OneLogin as an admin, go to the Access tab and select the roles to have Cloud Observability access.

To enable SSO for a OneLogin user:

1. In OneLogin as an admin, go to the users page and search for the user you want to assign to Cloud Observability.
2. In their profile, click the Applications tab.
3. Click the Plus next to Applications, select Cloud Observability from the dropdown, and click Continue to give the user access.

Sign in to Cloud Observability from OneLogin

Once you’ve assigned a user to Cloud Observability in OneLogin, the Cloud Observability app displays in their dashboard. They can double-click the icon to log into Cloud Observability

Sign in to Cloud Observability from Cloud Observability

Once you’ve assigned a user to Cloud Observability in OneLogin, they can also log in directly from Cloud Observability.

With SSO enabled users must sign in from the SAML SSO tab.

To sign in from Cloud Observability

1. Navigate to http://app.lightstep.com.
2. Click the SAML SSO tab and enter the email used to create the Cloud Observability user in OneLogin.

See also

User and role management

Roles and permissions

Set up JIT provisioning

Updated Jul 31, 2023