After you have configured SSO logins for Okta, you can further configure Okta to manage permissions for your Canary Console users, such as their Flock access and whether they are Global Admins. This guide will walk you through the Okta changes you need to make to support IdP-managed permissions.
Change Summary
Inside your Okta Admin Console, we will assign three attributes to each user based on their group affiliation. This allows Okta to manage your Canary Console user permissions. The three attributes are: is_global_admin, managed_flocks and watched_flocks.
For more information on the IdP-managed permissions feature and the associated SAML attributes, see this article.
All the steps below take place in your Okta account. Login to Okta with a user who is able to modify the Thinkst Canary SAML application.
Step 1: Create User Groups.
You'll need 3 groups at a minimum to assign our base attributes to users.
In our example we'll create these 3:
Canary Console Global Admins - These users will have full control over the Canary Console.
Canary Console Flock Managers - These users have write control over specified Flocks.
Canary Console Flock Watchers - These users have read-only control over specified Flocks.
You may choose to expand the manager and watcher groups into more granular sets. For example, if you'd prefer to give 2 users control over different selections of Flocks, multiple groups would be required to differentiate them.
Head over to Directory, then Groups and finally hit the Add group button.
At this point, you'll also want to assign your users to these groups, based on the level of access you'd prefer them to have.
To do this, click on one of your groups, then select the Assign people button.
Step 2: Assign groups
With our groups created, we'll next assign your Canary Console SAML App to these groups, to give the users the ability to log in.
At this point, the users will land on the Canary Console with no permissions, for now.
Step 3: Add Attribute Statement
With our groups created and assigned, we'll next create Attribute Statements. These will be small rules used to assign a permission / attribute to our groups when the users log in.
Switch over to the Sign On tab, and select Add expressions.
Here we'll add 3 attribute statements to cover each attribute required. We'll cover each below.
More on how to obtain a Flock ID can be found below.
is_global_admin
This entry covers your Global Admin users, if the user belongs to the group Canary Console Global Admins , they will receive the value "true", else they will receive a "false" value. Please modify the group name to match your environment.
user.isMemberOf({'group.profile.name': 'Canary Console Global Admins', 'operator': 'EXACT'}) ? true : falsemanaged_flocks
This entry covers your Flock Managers, if the user belongs to the group Canary Console Flock Managers , they will receive access to the list of Flock ID's you specify, else they will receive a "-" value.
Please modify the group name to match your environment as well as the list of Flock ID's.
user.isMemberOf({'group.profile.name': 'Canary Console Flock Managers', 'operator': 'EXACT'}) ? 'flock:default' : '-'wached_flocks
This entry covers your Flock Watchers, if the user belongs to the group Canary Console Flock Watchers , they will receive access to the list of Flock ID's you specify, else they will receive a "-" value.
Please modify the group name to match your environment as well as the list of Flock ID's.
user.isMemberOf({'group.profile.name': 'Canary Console Flock Watchers', 'operator': 'EXACT'}) ? 'flock:default,flock:d55384be14e4dcf3829ecd5429907985' : '-'Your statements should look similar to the below image.
Take note that multiple Flocks should be declared in comma separated format
without a space. i.e:
flock:default,flock123,flock:456
You may want an additional statement to cover a 2nd group with individual specified Flocks. To handle this, we'll create a seperate entry, refrencing the new group name and their access.
user.isMemberOf({'group.profile.name': 'Canary Console Flock Watchers Unit 2', 'operator': 'EXACT'}) ? 'flock:456,flock:789' : '-'
How do I find my Flock ID?
Flock ID's can be obtained by clicking on a Flock name within your Canary Console, then hiting the cog icon to the top right to get to it's settings.
Finally the Flock ID will be present in this menu.