Introduction

After you have configured SSO logins for Okta, you can further configure Okta to manage permissions for your Canary Console users, such as their Flock access and whether they are Global Admins. This guide will walk you through the Okta changes you need to make to support IdP-managed permissions.

Change Summary

Inside your Okta, you will add three attributes to each user to allow Okta to manage the permissions. The three attributes are: is_global_admin, managed_flocks and watched_flocks.

For more information on the IdP-managed permissions feature and the associated SAML attributes, see this article.

All the steps below take place in your Okta account. Login to Okta with a user who is able to modify the Thinkst Canary application.

Steps

Step 1: Add the attributes to the user profile

Open the User App profile for the Thinkst Canary application you created when first configuring SSO logins for Okta.

Scroll down and click "Add Attribute"

Add the three attributes (is_global_admin, managed_flocks and watched_flocks) as strings. Ensure that "Attribute required" is enabled only for is_global_admin.

The final setup should look like this:

Step 2: Edit the SAML configuration to use the user app profile fields

Return to the application SAML Setup.

Enter the SAML configuration.

Click "Next" on Step 1.

Scroll down to the attribute statements. This section maps fields from the user's application profile to fields in the SAML statement. "appuser" is a builtin Okta object for the user application profile.

Add the three attributes here, specifying the type for each as "Basic". The mapping should look like this: