Set up SSO

Set up single sign-on (SSO) to let Identity Providers (IdPs) authenticate users.

This page is intended for users with administration permissions. For conceptual information about managing users and roles, visit User and role management.

Overview

SSO helps make user management efficient and secure. With SSO, an IdP – for example, Okta – authenticates users. Users can then log into Cloud Observability with their IdP credentials.

Cloud Observability supports SSO with OAuth2 for Google, and SSO with Security Assertion Markup Language (SAML) for Microsoft Entra ID (formerly Azure AD), Okta, and OneLogin.

Google

With SSO, users can sign into Cloud Observability with their managed Google credentials. In other words, they can select Sign in with Google without a second sign-in.

Follow these steps to set up SSO for Cloud Observability:

1. Sign into your Google Admin console as an administrator.
2. In the sidebar, select Security > Access and data control > API controls.
3. On the API controls page, select Manage Third-Party App Access.
4. Select the Add app drop-down and select OAuth App Name or Client ID.
5. Enter the client ID below, select Search, and then select Select next to the Cloud Observability app.

   1
   746217134341-pp9knfd5e0b6b6n84jg3cjd5hsuguuot.apps.googleusercontent.com
   

6. Check OAuth Client ID, select Select, check Limited, and then select Configure to save your changes and return to the API controls page.

You can revisit your settings by going to the API controls page and selecting Manage Third-Party App Access > Cloud Observability.

Microsoft Entra ID (formerly Azure AD)

Integrate with Microsoft Entra ID to provide SSO for Cloud Observability users.

Prerequisites

You need the following to integrate Cloud Observability with Microsoft Entra ID:

• A Microsoft Entra ID admin account in an organization with SAML privileges.
• A Cloud Observability Organization Admin user.

• A Cloud Observability default user role.

  Cloud Observability assigns the default role to all Microsoft Entra ID users.

Step 1: Configure Cloud Observability in Microsoft Entra ID

1. In Microsoft Entra ID, go to the Enterprise applications page.

2. To add Cloud Observability, select New application and then Create your own application. Enter Cloud Observability for the name and select Create.

   Cloud Observability is now an application in Microsoft Entra ID.

3. In the sidebar, select Single sign-on and then select the SAML card.

4. Select to edit the Basic SAML Configuration panel and enter these values:

   • Identifier

     1
     2
        https://app.lightstep.com/saml/metadata
        # https://app.eu.lightstep.com/saml/metadata # EU data center
     

   • Reply URL

     1
     2
       https://app.lightstep.com/api/v1/authentication/sso/saml_callback
       # https://app.eu.lightstep.com/api/v1/authentication/sso/saml_callback # EU data center
     

   • Sign on URL

     1
     2
       https://app.lightstep.com/api/v1/authentication/sso/saml_callback?RelayState=
       # https://app.eu.lightstep.com/api/v1/authentication/sso/saml_callback?RelayState= # EU data center
     

   • Relay State

     Leave this input blank. You’ll generate and enter the Relay State value in the next step.

5. Select Save.

Step 2: Enable SSO

Follow these steps to configure communication between Microsoft Entra ID and Cloud Observability:

1. On the same Single sign-on page in Microsoft Entra ID, scroll down to the SAML Certificates card and select Download next to Federation Metadata XML.
2. In a new tab, open Cloud Observability:
   1. Select Settings > User management > Single sign-on (SSO).
   2. Paste the XML from the Federation file into the SSO For SAML input.
   3. Select Save.
   4. Copy the RelayState value to your clipboard.
3. Back in Microsoft Entra ID, edit the Basic SAML Configuration panel and paste your RelayState value in the Relay State field. Select Save.

Step 3: Create and assign groups

Follow the steps below to create a Microsoft Entra ID group and assign Cloud Observability users to that group. You then add that group to the Cloud Observability application.

1. In Microsoft Entra ID, navigate to All groups and create a new security group:
   1. Select New group.
   2. For Group type, select Security.
   3. For Group name, enter Cloud Observability users.
   4. Add users to your group and select Create.
2. Return to the Enterprise applications page and select your Cloud Observability application.
3. In the sidebar, select Users and groups and assign the group you created.

You’re all set. Users can now sign into Cloud Observability from Cloud Observability’s SAML SSO sign-in tab.

Okta

Set up SSO with Okta to let Okta authenticate, authorize, and manage Cloud Observability users.

Supported features

The Okta integration uses System for Cross-domain Identity Management (SCIM) to sync user information between Cloud Observability and Okta.

Once you set up the integration, Okta Admins can provision, de-provision, and update Cloud Observability users in Okta. New Cloud Observability users are assigned the default role. And they can sign into Cloud Observability from Okta or Cloud Observability.

Prerequisites

To complete the steps below, you need an Admin Okta account in an organization with SCIM provisioning privileges.

In Cloud Observability, you must be an Organization Admin. You also need the following:

• API key with Organization Admin privileges.
• Default role for new users.

Step 1: Add Cloud Observability to Okta

In August 2023, Lightstep became Cloud Observability. The Okta integration uses the Lightstep name, but it works with Cloud Observability.

Follow these steps to add the Cloud Observability integration to Okta:

1. Visit the Lightstep integration page and select Add Integration.
2. On the Add Lightstep page, enter Cloud Observability as the Application label.
3. Select Done to access the Cloud Observability configuration page in Okta.

Step 2: Configure the integration

Follow these steps to connect Okta to your Cloud Observability organization and let Okta manage users:

1. Set the user identifier to email:

   1. On the Cloud Observability configuration page in Okta, select Sign On > Edit.
   2. Select the Application username format drop-down and select Email.
   3. Select Save to implement your changes.

2. Connect Okta to your Cloud Observability organization:

   1. On the Cloud Observability configuration page in Okta, select Provisioning > Configure API Integration > Enable API integration and fill out the form:

      • Base URL - Enter https://api.lightstep.com/public/v0.2/YOUR-ORG and replace YOUR-ORG with your Cloud Observability organization name.

        EU data center customers, use https://api.eu.lightstep.com/public/v0.2/YOUR-ORG

      • API Token - Enter your Cloud Observability API key.

   2. Select Test API Credentials. Okta displays Lightstep was verified successfully! when it connects to your Cloud Observability organization.
   3. Select Save to implement your changes.

3. Let Okta create, update, and deactivate Cloud Observability users:

   1. In the same Provisioning tab, select To App > Edit.
   2. Select Create Users, Update User Attributes, and Deactivate Users.
   3. Select Save to implement your changes.

Rotating API keys

Rotate your API keys regularly to keep applications secure. Follow these steps to rotate the Cloud Observability API key in Okta:

1. In Cloud Observability, create and copy a new API key.
2. In Okta, go to the Cloud Observability application and select Provisioning > Integration > Edit.
3. Paste your new API key in the API Token field and select Save.
4. Back in Cloud Observability, revoke the original API key to prevent security breaches.

Expandable end

Step 3: Enable SSO

With SSO, users can sign in from Okta or Cloud Observability. Follow these steps to enable SSO:

1. On the Cloud Observability configuration page in Okta, select Sign On.
2. Under Metadata details, visit the Metadata URL and copy the XML file.
3. Add the XML file to Cloud Observability and get your RelayState value:
   1. In Cloud Observability, select Settings > User management > Single sign-on (SSO).
   2. Paste the XML file in the SSO For SAML input.
   3. Select save to enable SSO. Cloud Observability displays SSO Configuration Saved.
   4. On the same page, copy the RelayState value.
4. Back in Okta’s Sign On tab, select Edit and paste that value in the Default Relay State input.
5. Select Save.

You’re all set. You can now assign users to your Cloud Observability integration in Okta. Users can then sign into Cloud Observability from the Okta dashboard or Cloud Observability’s SAML SSO sign-in tab.

OneLogin

Integrate with OneLogin to let OneLogin handle user authentication.

Supported features

Cloud Observability supports these SAML features:

• IdP-initiated SSO: Users log into OneLogin and select the Cloud Observability app to sign in.
• Service-provider-initiated SSO: Users log into Cloud Observability, and OneLogin authenticates the user.
• JIT (Just In Time) Provisioning: Once users are assigned to Cloud Observability in OneLogin, they can provision a new Cloud Observability account upon first login.

Prerequisites

You need the following to integrate Cloud Observability with OneLogin:

• A OneLogin admin account in an organization with SAML privileges.
• A Cloud Observability Organization Admin user.

• A Cloud Observability default user role.

  Cloud Observability assigns the default role to all Microsoft Entra ID users.

Step 1: Configure Cloud Observability in OneLogin

In August 2023, Lightstep became Cloud Observability. The OneLogin integration uses the Lightstep name, but it works with Cloud Observability.

1. From the Admin Portal in OneLogin, add the Lightstep application to your OneLogin account.
2. Select the Lightstep application to configure the application.
3. In the upper right, under More Actions, select SAML metadata and copy the XML blog to your clipboard.
4. In Cloud Observability:
   1. Select Settings > User management > Single sign-on (SSO).
   2. Paste the XML blob into the SSO For SAML box and select Save.
   3. On the same page, copy the RelayState value.
5. Back in OneLogin, go to the Configuration tab, paste the RelayState value into the Default Relay State field, and save.

Step 2: Assign roles and users

Assign OneLogin roles or users to Cloud Observability to let users sign into Cloud Observability from OneLogin or Cloud Observability.

Assign OneLogin roles to Cloud Observability:

In OneLogin, go to the Access tab and select the roles to have Cloud Observability access.

Assign OneLogin users to Cloud Observability:

1. In OneLogin, go to the users page and search for the user you want to assign to Cloud Observability.
2. In their profile, select Applications.
3. Select + next to Applications, select Lightstep from the dropdown, and select Continue to give the user access.

You’re all set. The assigned users can now sign into Cloud Observability from OneLogin or from Cloud Observability’s SAML SSO sign-in tab.

See also

User and role management

Roles and permissions reference

Set up JIT provisioning

Updated Nov 7, 2024