Skip to main content

SSO Using Okta

This page explains how to configure Okta and then configure Styra.

Configure Okta SSO SAML

To prepare Okta for signing on to styra-das-id.styra.com:

  1. Login to Okta.

  2. On the administrator dashboard, click Add Applications and select Create New App.

  3. Enter the following details in the form and then click Create.

    • Platform: Select Web.

    • Sign on method: Select SAML 2.0.

  4. Enter the following details in the General Settings form and click Next.

    • App name: Styra (or anything you prefer).
  5. Enter the following details in the SAML Settings located in the General Settings form and then click Next.

    • Single sign on URL: For example, in https://styra-das-id.styra.com/v1/saml/ssosaml/callback replace styra-das-id.styra.com with your tenant name and ssosaml with the provider name. This provider name will be used when you configure the settings on styra-das-id.styra.com.

    • Use this for Recipient URL and Destination URL: Make sure to check this box.

    • Audience URI (SP Entity ID): For example, in https://styra-das-id.styra.com/v1/saml/ssosaml/metadata replace styra-das-id.styra.com with your tenant name and ssosaml with the provider name. This provider name will be used when you configure the settings on styra-das-id.styra.com.

    • Name ID Format: EmailAddress.

  6. Select an appropriate option on the Help Okta Support understand how you configured this application form and click Finish.

  7. The next form shows the settings you have created.

    • On the General tab, confirm the SAML settings and configure any additional specific settings if needed.
  8. Select the Sign On tab and click on the View Setup Instructions button.

    • From the Optional section at the bottom, record the IDP metadata from the Provide the following IDP metadata to your SP provider field. This value will be used when you configure the settings on styra-das-id.styra.com.
  9. Now, select the Assignments tab to identify the users entitled to access styra-das-id.styra.com.

    • Click Assign, select Assign to People.

    • Click Assign and Save to go back to the selected people.

    • When all the users are assigned, click Done.

Styra Configuration

After you configure Okta, you must configure styra-das-id.styra.com.

  1. Login to styra-das-id.styra.com with your username and password.

  2. Go to your Workspace, click Settings >> Single Sign-On Providers >> SAML and then click Add SAML Provider.

  3. Enter the following details in the form.

    • Provider name: Enter the name for your identity provider setting.

    • Private key: Use openssl req -x509 -newkey rsa:2048 -keyout private.key -out certificate.cert -days 3650 -nodes -subj "/CN=styra-das-id.styra.com" command to generate a private key and the associated certificate. Enter the private key.

    • Private key certificate: Enter the above generated certificate.

    • Identity provider metadata: Enter the IDP metadata.

    • Email attribute: Leave it empty as the SAML response from Okta does have the email address in the Subject tag.

    • Allowed Domains: Type the allowed authentication domain(s) of your users. For example, retail.acme.com. If the identity provider supports multiple domains, only users with these domains are allowed to access the service.

    • Allow identity provider to initiate sign in:

      • If enabled, identity provider can initiate the single sign on.

      • If disabled, identity provider can’t initiate the single sign on.

    • Invited users only:

      • If enabled, the authenticated user must have a pre-existing account in the service.

      • If disabled, a new user account will be created just-in-time for any authenticated user, as long as the user's domain matches one of the allowed domains (and the identity provider has assigned the new user to the Styra application).

    • Enabled: Set it to TRUE.

  4. If you have selected just-in-time provisioning for the users, then you can now logout from styra-das-id.styra.com and sign-in again through Okta. Okta is now displayed on the styra-das-id.styra.com login screen above the username and password.

Invite Users to Styra (Optional)

If you configured styra-das-id.styra.com to allow only invited users to login to the service, then you must create users on styra-das-id.styra.com. You can add or invite users through the following options:

  • Using the CLI.
  • Using the GUI.
  • Any client calling the Styra CLI API.