Lightstep provides an integration with Okta that allows Okta to handle user authentication, authorization, and management. Once you integrate with Okta and configure for single sign on (SSO), users can create Lightstep accounts and sign in to Lightstep either from Okta (IDP-initiated) or Lightstep (SP-Initiated).

The integration uses the System for Cross-domain Identity Management specification (SCIM) to sync user information between Lightstep and Okta.

Supported Features in Okta

  • Provision and de-provision users: Admins can create Lightstep accounts from Okta. They are assigned the Lightstep default role.
  • Update users Admins can update user’s names.

Prerequisites

You’ll need the following to integrate Lightstep with Okta:

  • An admin Okta account in an organization with SCIM provisioning privileges
  • An admin Lightstep user
  • A default user role, set in Lightstep. This is the role that will be assigned to provisioned users (you can change it in Lightstep after provisioning).
  • A Lightstep API key. The API key must have Admin privileges.

    Be sure to copy and then temporarily store this key once you create it. You need it to integrate with Okta and won’t be able to access it once you close the dialog.

Integrate Lightstep with Okta

  1. In Okta, add the Lightstep application to your Okta account.

  2. Set the Application Username format.
    Select the Sign On tab, click Edit, and change Application username format to Email, and click Save.

  3. Select the Provisioning tab and click Configure API Integration.

  4. On this page:
    • Select Enable API itegration
    • Enter your organization’s base URL as https://api.lightstep.com/public/v0.2/[your_organization_name]

      Your organization name must match the organization name set up in Lightstep.

    • Enter the Lightstep API key from the Prerequisites.

  5. Click Test API Credentials to ensure the integration is successful.

  6. Once the integration is successful, click Save.

  7. Select To App to configure provisioning:

    • Select Create Users to enable creation of users from Okta.
    • Select Update User Attributes to enable updating of names from Okta.
    • Select Deactivate Users to enable deactivation of users from Okta.

Enable SSO

When you enable SSO, users can sign in and create a Lightstep account either from the Okta panel or from Lightstep.

An Okta admin must first provision the Lightstep app to the Okta user’s account before they can sign in.

To enable SSO:

  1. In Okta as an admin, from the Lightstep application, select Sign On. Okta Sign On tab
  2. Click the Identity Provider metadata link to generate the Identity Provider (IDP) XML key that Lightstep will use to communicate with Okta.XML generation link Copy the key to your clipboard.
  3. In Lightstep, in the left-hand navigation bar, click Account and choose Account Settings.Account Settings
  4. Click the SSO tab and in the IDP metadata (XML) box, paste in the XML key. Lightstep SSO
  5. Click Save. A RelayState value is generated for you. Copy that value to your clipboard.
  6. Back in Okta, paste the RelayState value into the Default Relay State field and click Save.Okta Relay setting

Provision Users in Okta

Users must be assigned the Lightstep account in Okta before they can sign in and create a Lightstep account.

To assign Lightstep to a user:

  1. Access the Assignments tab and use the dropdown to select Assign to People or alternatively, assign to group).

  2. Search for the user you want to assign and select Assign.

  3. Confirm their information and click Save and Go Back.

Once provisioned, you can change a user’s role in Lightstep.

Sign In to Lightstep from Okta

Once you’ve assigned a user to Lightstep in Okta, the Lightstep app displays in their Okta dashboard. They can double-click the icon to log into LightstepOkta dashboard with Lightstep app

Sign In to Lightstep from Lightstep

Once you’ve assigned a user to Lightstep in Okta, they can also log in directly from Lightstep.

With SSO enabled, users must sign in from the SAML SSO tab.

To sign in from Lightstep

  1. Navigate to http://app.lightstep.com.
  2. Click the SAML SSO tab and enter the email used to create the Lightstep user in Okta.Lightstep sign in from SAML tab

Known Issues/Troubleshooting

User name updates in Okta are not supported.