Lightstep Observability provides an integration with Okta that allows Okta to handle user authentication, authorization, and management. Once you integrate with Okta and configure for single sign on (SSO), users can create Lightstep Observability accounts and sign in to Lightstep Observability either from Okta (IDP-initiated) or Lightstep Observability (SP-Initiated).

The integration uses the System for Cross-domain Identity Management specification (SCIM) to sync user information between Lightstep Observability and Okta.

Supported features in Okta

  • Provision and de-provision users: Admins can create Lightstep Observability accounts from Okta. They are assigned the Lightstep Observability default role.
  • Update users Admins can update user’s names.

Prerequisites

You’ll need the following to integrate Lightstep Observability with Okta:

  • An admin Okta account in an organization with SCIM provisioning privileges
  • An admin Lightstep Observability user
  • A default user role, set in Lightstep Observability. This is the role that will be assigned to provisioned users (you can change it in Lightstep after provisioning).

  • A Lightstep Observability API key. The API key must have Admin privileges.

    Be sure to copy and then temporarily store this key once you create it. You need it to integrate with Okta and won’t be able to access it once you close the dialog.

Integrate Lightstep Observability with Okta

  1. In Okta, add the Lightstep Observability application to your Okta account.

  2. Set the Application Username format.
    Select the Sign On tab, click Edit, and change Application username format to Email, and click Save.

  3. Select the Provisioning tab and click Configure API Integration.

  4. On this page:
    • Select Enable API itegration

    • Enter your organization’s base URL as https://api.lightstep.com/public/v0.2/[your_organization_name]

      Your organization name must match the organization name set up in Lightstep.

    • Enter the Lightstep Observability API key from the Prerequisites.

  5. Click Test API Credentials to ensure the integration is successful.

  6. Once the integration is successful, click Save.

  7. Select To App to configure provisioning:

    • Select Create Users to enable creation of users from Okta.
    • Select Update User Attributes to enable updating of names from Okta.
    • Select Deactivate Users to enable deactivation of users from Okta.

Enable SSO

When you enable SSO, users can sign in and create a Lightstep Observability account either from the Okta panel or from Lightstep Observability.

An Okta admin must first provision the Lightstep Observability app to the Okta user’s account before they can sign in.

To enable SSO:

  1. In Okta as an admin, from the Lightstep Observability application, select Sign On. Okta Sign On tab
  2. Click the Identity Provider metadata link to generate the Identity Provider (IDP) XML key that Lightstep Observability will use to communicate with Okta.XML generation link Copy the key to your clipboard.
  3. In Lightstep, click Account management > Single sign on (SSO).Account Settings
  4. In the IDP metadata (XML) box, paste in the XML key. Lightstep Observability SSO
  5. Click Save. A RelayState value is generated for you. Copy that value to your clipboard.
  6. Back in Okta, paste the RelayState value into the Default Relay State field and click Save.Okta Relay setting

Provision users in Okta

Users must be assigned the Lightstep Observability account in Okta before they can sign in and create a Lightstep Observability account.

To assign Lightstep Observability to a user:

  1. Access the Assignments tab and use the dropdown to select Assign to People or alternatively, assign to group).

  2. Search for the user you want to assign and select Assign.

  3. Confirm their information and click Save and Go Back.

Once provisioned, you can change a user’s role in Lightstep Observability.

Sign in to Lightstep Observability from Okta

Once you’ve assigned a user to Lightstep Observability in Okta, the Lightstep app displays in their Okta dashboard. They can double-click the icon to log into LightstepOkta dashboard with Lightstep app

Sign in to Lightstep Observability from Lightstep

Once you’ve assigned a user to Lightstep in Okta, they can also log in directly from Lightstep.

With SSO enabled, users must sign in from the SAML SSO tab.

To sign in from Lightstep Observability

  1. Navigate to http://app.lightstep.com.
  2. Click the SAML SSO tab and enter the email used to create the Lightstep Observability user in Okta.Lightstep Observability sign in from SAML tab

Known issues/troubleshooting

User name updates in Okta are not supported.