Configure Okta Identity Cloud as a SAML 2.0 Identity Provider

Use Okta for identity management with StackRox.

2 minute read

This guide documents how to use Okta as a Single Sign On (SSO) provider for the StackRox Kubernetes Security Platform.

Prerequisites

To complete these steps, you must:

  • have appropriate permissions to configure both the StackRox Kubernetes Security Platform and Okta.
  • use an account with administrative privileges for the Okta portal.

Create an Okta App

To begin, log in to your Okta administration portal.

Okta’s Developer Console doesn’t support the creation of custom SAML 2.0 applications. If you are using the Developer Console, you need to first switch to the Admin Console (Classic UI). If you see Developer Console in the top left of the page, click it and select Classic UI to switch.

  1. Select Applications in the menu bar.

  2. Select Add Application and then Create New App.

  3. In the Create a New Application Integration dialog box, leave Web as the platform and select SAML 2.0 as the protocol that you want to use to sign your users in.

  4. Select Create.

  5. On the General Settings page, enter a name for the app in the App name field, for example StackRox. A logo isn’t necessary, however you can download and use the StackRox Kubernetes Security Platform logos from our Media Kit.

  6. Select Next.

  7. On the SAML Settings page, set values for the following fields (you can leave other fields as blank.):

    1. Single sign on URL

      • Substitute your StackRox portal hostname into this URL: https://<your-portal-hostname>/sso/providers/saml/acs For example: https://stackrox.example.com/sso/providers/saml/acs
      • Leave the “Use this for Recipient URL and Destination URL” box checked.
      • If your StackRox portal is accessible at different URLs, you can add them here by checking “Allow this app to request other SSO URLs” and specifying the alternate URLs using the same format as above.
    2. Audience URI (SP Entity ID)

      • Set the value to StackRox or another value of your choice.
      • Remember the value you choose, since you must provide it to StackRox.
    3. Attribute Statements

      • You must add at least one Attribute Statement.
      • We recommend providing the email attribute:
        • Name: email
        • Format: Unspecified
        • Value: user.email

      A correctly configured application looks similar to the following:

      Okta Application SAML Settings
      Okta Application SAML Settings

      Verify that at least one Attribute Statement is configured before continuing.

  8. Select Next.

  9. On the Feedback page, select an option that applies to you.

  10. Select an appropriate App type.

  11. Select Finish.

After the configuration is complete, you are redirected to the Sign On settings page for the new app. A yellow box contains links to the information you will need to provide to StackRox.

Okta Identity Provider Metadata Instructions
Okta Identity Provider Metadata Instructions

As a final step in the Okta console, assign Okta users to this application. Go to the Assignments tab, and assign the set of individual users or groups that should have access to StackRox. For example, assign the group Everyone to allow all users in the organization to access StackRox.

Once you have assigned users, return to the Sign On settings tab. Click the Identity Provider metadata link and save the address for your reference.

Configure StackRox

Next, configure StackRox to use your Okta application.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.