After you have configured SSO logins for Okta, you can further configure Okta to manage permissions for your Canary Console users, such as their Flock access and whether they are Global Admins. This guide will walk you through the Okta changes you need to make to support IdP-managed permissions.
Change Summary
Inside your Okta, you will add three attributes to each user to allow Okta to manage the permissions. The three attributes are: is_global_admin, managed_flocks and watched_flocks.
For more information on the IdP-managed permissions feature and the associated SAML attributes, see this article.
All the steps below take place in your Okta account. Login to Okta with a user who is able to modify the Thinkst Canary application.
Step 1: Add the Attributes to User Profile
Open the User App profile for the Thinkst Canary application you created when first configuring SSO logins for Okta.
Scroll down and click Add Attribute.
Add the three attributes (is_global_admin, managed_flocks and watched_flocks) as strings. Ensure that "Attribute required" is enabled only for is_global_admin.
The final setup should look like this:
Step 2: Update SAML with User Profile Fields
Update your SAML configuration to utilize the fields from the user app profile, ensuring that authentication and attribute mapping align with your desired setup.
Return to the application SAML Setup.
Enter the SAML configuration.
Click on Sign On and scroll down to the Attribute statements section. This section maps fields from the user's application profile to fields in the SAML statement.
Add the three attributes here by clicking on Add expression. The mapping should look like this:
The attributes are automatically saved once added.
Step 3: Set User Permissions
Open the assignment modal to configure and assign permissions for users in the Thinkst Canary app.
Enter the desired values into the fields and then click Save to assign.
The Okta App will now pass through the custom attributes to the Console, which will set the user's permissions based on these attributes.
Step 4: Configure Admin Group
You can optionally create and configure a Canary Admins group that will allow you to easily manage the list of admin users on your console through an Okta group.
Open the Groups editor and create a new group called Canary Admins.
Assign users to the group by opening the newly created group's settings and clicking on Assign people.
Return to the application SAML Setup.
Enter the SAML configuration.
Click on Sign On and scroll down to the Attribute statements section. Add (or change) the three expressions to match the expressions shown below.
The Okta app will now pass through the correct attributes to the Console to make users that are part of the Canary Admins group global admins on the console, and will fall back to using the managed and watched flocks configured on the user profiles for users that aren't part of the Canary Admins group.