Set up single sign-on (SSO) to let Identity Providers (IdPs) authenticate users.
This page is intended for Organization Admins and Organization Billing Admins. For conceptual information about managing users and roles and possible setups, visit User and role management.
SSO helps make user management efficient and secure. With SSO, an IdP – for example, Okta – authenticates users. Users can then log into Cloud Observability with their IdP credentials.
Cloud Observability supports SSO with OAuth2 for Google, and SSO with Security Assertion Markup Language (SAML) for Azure AD, Okta, and OneLogin.
Integrate with Azure Active Directory (AD) to provide SSO for users from the Cloud Observability web UI.
You’ll need the following to integrate Cloud Observability with Azure AD:
To add Cloud Observability, click New Application and then Create Your Own Application. Enter Cloud Observability for the name and click Create.
Cloud Observability now appears as an application in Azure AD.
Click to edit the Basic SAML Configuration panel and enter the following values:
Identifier: https://app.lightstep.com/saml/metadata
Reply URL: https://app.lightstep.com/api/v1/authentication/sso/saml_callback
Sign on URL: https://app.lightstep.com/api/v1/authentication/sso/saml_callback?RelayState=
Relay State: You will enter this value (generated by Cloud Observability) in a later step.
RelayState
value displayed in the RelayState field.RelayState
value to your clipboard.RelayState
value into the Relay State field and save.You now need to create an Azure AD group and assign Cloud Observability users to that group. You then add that group to the Cloud Observability application.
In Azure AD, navigate to All Groups and create a new Security Group.
Add users to this group (you can add and delete users as needed from here).
Back on the Cloud Observability page, select the Users and Groups menu option and assign the group you just created.
Once you’ve assigned the group to Cloud Observability in Azure AD, users log in directly from Cloud Observability.
With SSO enabled users must sign in from the SAML SSO tab.
Once you assign users to the Cloud Observability security group in Azure AD, you can configure JIT (Just In Time) provisioning in Cloud Observability. Users will be able to create a Cloud Observability account when they log in.
With SSO, users can sign into Cloud Observability with their managed Google credentials. In other words, they can click Sign in with Google without a second sign-in.
Follow these steps to set up SSO for Cloud Observability:
1
746217134341-pp9knfd5e0b6b6n84jg3cjd5hsuguuot.apps.googleusercontent.com
You can revisit your settings by going to the API controls page and clicking Manage Third-Party App Access > Cloud Observability.
Cloud Observability provides an integration with Okta that allows Okta to handle user authentication, authorization, and management. Once you integrate with Okta and configure for SSO, users can create Cloud Observability accounts and sign in to Cloud Observability either from Okta (IDP-initiated) or Cloud Observability (SP-Initiated).
The integration uses the System for Cross-domain Identity Management specification (SCIM) to sync user information between Cloud Observability and Okta.
You’ll need the following to integrate Cloud Observability with Okta:
A Cloud Observability API key. The API key must have Organization Admin
privileges.
Be sure to copy and then temporarily store this key once you create it. You need it to integrate with Okta and won’t be able to access it once you close the dialog.
In Okta, add the Cloud Observability application to your Okta account.
Set the Application Username format.
Select the Sign On tab, click Edit, change Application username format to Email, and click Save.
Select the Provisioning tab and click Configure API Integration.
Enter your organization’s base URL as https://api.lightstep.com/public/v0.2/[your_organization_name]
Your organization name must match the organization name set up in Cloud Observability.
Enter the Cloud Observability API key from the Prerequisites.
Click Test API Credentials to ensure the integration is successful.
Once the integration is successful, click Save.
Select To App to configure provisioning:
When you enable SSO, users can sign in and create a Cloud Observability account either from the Okta panel or from Cloud Observability.
An Okta admin must first provision the Cloud Observability app to the Okta user’s account before they can sign in.
To enable SSO:
Users must be assigned the Cloud Observability account in Okta before they can sign in and create a Cloud Observability account.
To assign Cloud Observability to a user:
Access the Assignments tab and use the dropdown to select Assign to People or alternatively, assign to group).
Search for the user you want to assign and select Assign.
Confirm their information and click Save and Go Back.
Once provisioned, you can change a user’s role in Cloud Observability.
Once you’ve assigned a user to Cloud Observability in Okta, the Cloud Observability app displays in their Okta dashboard. They can double-click the icon to log into Cloud Observability
Once you’ve assigned a user to Cloud Observability in Okta, they can also log in directly from Cloud Observability.
With SSO enabled users must sign in from the SAML SSO tab.
To sign in from Cloud Observability
User name updates in Okta are not supported.
Cloud Observability provides an integration with OneLogin that allows OneLogin to handle user authentication. Once you integrate with OneLogin and configure for SSO, users can sign in to Cloud Observability either from OneLogin (IdP-initiated) or Cloud Observability (SP-Initiated).
Cloud Observability currently supports the following SAML features:
You’ll need the following to integrate Cloud Observability with OneLogin:
RelayState
value is generated and displayed in the RelayState field.RelayState
value to your clipboard.RelayState
value into the Default Relay State field and save.When you enable SSO, users can sign into Cloud Observability either from OneLogin or from Cloud Observability. You can assign Cloud Observability either to roles or to specific users.
To enable SSO for a OneLogin role:
In OneLogin as an admin, go to the Access tab and select the roles to have Cloud Observability access.
To enable SSO for a OneLogin user:
Once you’ve assigned a user to Cloud Observability in OneLogin, the Cloud Observability app displays in their dashboard. They can double-click the icon to log into Cloud Observability
Once you’ve assigned a user to Cloud Observability in OneLogin, they can also log in directly from Cloud Observability.
With SSO enabled users must sign in from the SAML SSO tab.
To sign in from Cloud Observability
Updated Jul 31, 2023