Skip to main content

Search

Configuring SAML IdP-managed permissions: Okta

How to configure Okta to manage user permissions in Thinkst Canary using SAML, including setting up attributes, updating SAML configurations, and assigning permissions through your Identity Provider.

After you have configured SSO logins for Okta, you can further configure Okta to manage permissions for your Canary Console users, such as their Flock access and whether they are Global Admins. This guide will walk you through the Okta changes you need to make to support IdP-managed permissions.

Change Summary

Inside your Okta, you will add three attributes to each user to allow Okta to manage the permissions. The three attributes are: is_global_admin, managed_flocks and watched_flocks.

For more information on the IdP-managed permissions feature and the associated SAML attributes, see this article.

All the steps below take place in your Okta account. Login to Okta with a user who is able to modify the Thinkst Canary application.

Step 1: Add the Attributes to User Profile

Open the User App profile for the Thinkst Canary application you created when first configuring SSO logins for Okta.

select_user_in_profile_editor2.png

Scroll down and click Add Attribute.

add_attribute.png

Add the three attributes (is_global_admin, managed_flocks and watched_flocks) as strings. Ensure that "Attribute required" is enabled only for is_global_admin.

attributes.png

The final setup should look like this:

attributes_added.png

Step 2: Update SAML with User Profile Fields

Update your SAML configuration to utilize the fields from the user app profile, ensuring that authentication and attribute mapping align with your desired setup.

Return to the application SAML Setup.

select_app.png

Enter the SAML configuration.

edit_saml_settings.png

Click Next on Step 1.

edit_saml_step_1.png

Scroll down to the attribute statements. This section maps fields from the user's application profile to fields in the SAML statement. "appuser" is a builtin Okta object for the user application profile.

Add the three attributes here, specifying the type for each as Basic. The mapping should look like this:

saml_attributes.png

Click Next at the bottom of the wizard to continue. Finally, click Finish to save the settings.

Step 3: Set User Permissions

Open the assignment modal to configure and assign permissions for users in the Thinkst Canary app.

edit_user.png

Enter the desired values into the fields and then click Save to assign.

edit_user_attributes.png

The Okta App will now pass through the custom attributes to the Console, which will set the user's permissions based on these attributes.

Was this article helpful?
0 out of 0 found this helpful
Return to top