-
Notifications
You must be signed in to change notification settings - Fork 27
docs: add sso okta + jumpcloud configurations #340
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
03beb44
e6fb84c
2c61230
e2ec3f4
3b62e66
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I'm not sure if these are new screenshots (or ones we provided), but I just noticed they feature staging within the url params in the callback URL/sign up portal link.
Would be great to either crop that part out, or generate new ones from production.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Praise: Screenshot looking good! 🚀
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lukqw it's good you like the screenshot, we are using the ones you made lol
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"localstack staging" again
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: this seems duplicated from the screenshot above?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: Would it make sense to split this based on provider?
We already have a separate page for Azure AD.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -36,6 +36,163 @@ Select **Enable IdP sign out flow** if you want your users to be logged out from | |
|
|
||
|  | ||
|
|
||
|
|
||
| ## Configuring SSO with Okta | ||
|
|
||
| This section provides a reference configuration for setting up SAML-based SSO with **Okta**. (We support SP-initiated sign on.) | ||
|
|
||
| The steps below mirror the fields required in the LocalStack UI and can be used as a template when configuring your Okta application. | ||
|
|
||
| ### 1. Create a SAML 2.0 App in Okta | ||
|
|
||
| In your Okta Admin Dashboard, create a new application under: | ||
|
|
||
| > **Applications → Create App Integration → SAML 2.0** | ||
|
|
||
| During setup, Okta will ask for: | ||
|
|
||
| * **Single sign-on URL** | ||
| * **Audience URI (SP Entity ID)** | ||
|
|
||
| You can copy these values directly from your LocalStack SSO provider creation screen. | ||
|
|
||
| Example mapping: | ||
|
|
||
| | LocalStack name | Okta field name | | ||
| | ---------------------- | --------------------------- | | ||
| | Callback URL | Single sign-on URL | | ||
| | Identifier (Entity Id) | Audience URI (SP Entity ID) | | ||
|
|
||
|
|
||
| ### 2. Configure SAML Attribute Statements | ||
|
|
||
| LocalStack supports mapping the following user attributes: | ||
|
|
||
| * **email** | ||
| * **firstName** | ||
| * **lastName** | ||
|
|
||
| In Okta, add these under **Attribute Statements (optional)**: | ||
|
|
||
| | Name | Name format | Value | | ||
| | --------- | ----------- | ---------------- | | ||
| | email | Unspecified | `user.email` | | ||
| | firstName | Unspecified | `user.firstName` | | ||
| | lastName | Unspecified | `user.lastName` | | ||
|
|
||
| > **Note:** In some setups, Okta may not always populate `firstName` or `lastName` during signup. This is usually a configuration mismatch on the IdP side. Users can still manually enter these fields during signup if needed. | ||
|
|
||
|  | ||
|
|
||
|  | ||
|
|
||
| ### 3. Retrieve the Okta Metadata URL | ||
|
|
||
| Once the application is created, navigate to: | ||
|
|
||
| > **Applications → Sign On → SAML 2.0 → Metadata URL** | ||
|
|
||
| Copy this URL. | ||
|
|
||
|  | ||
|
|
||
| This URL should be used in the LocalStack UI under: | ||
|
|
||
| > **Metadata File → URL** | ||
|
|
||
| LocalStack will automatically import the SAML metadata and map the endpoints required for SSO. | ||
|
|
||
| ### 4. Configure LocalStack Identity Provider | ||
|
|
||
| In the LocalStack SSO configuration screen: | ||
|
|
||
| * Select **Provider type: SAML** | ||
| * Enter an **Identity provider name** (e.g., "Okta") | ||
| * Paste the **Metadata URL** from Okta | ||
| * Fill in attribute mappings: | ||
|
|
||
| | Your attributes (from Okta) | LocalStack attributes | | ||
| | --------------------------- | --------------------- | | ||
| | email | Email | | ||
| | firstName | First Name | | ||
| | lastName | Last Name | | ||
|
|
||
| Once completed, LocalStack will display: | ||
|
|
||
| * **Callback URL** | ||
| * **Identifier (Entity Id)** | ||
| * **Sign Up Portal URL** | ||
|
|
||
| These values are used in the Okta app configuration and for distributing the signup link to end-users. | ||
|
|
||
|  | ||
|
|
||
| ### 5. Assign Users to the Okta Application | ||
|
|
||
| Ensure that the correct users and groups have access to the Okta SAML app. Only assigned users will be able to authenticate into LocalStack via SSO. | ||
|
|
||
|
|
||
|
|
||
| ## SSO for JumpCloud | ||
|
|
||
| This example outlines the required configuration when using **JumpCloud** as a SAML Identity Provider for LocalStack. | ||
|
|
||
| ### 1. Create a Custom SAML Application | ||
|
|
||
| In the JumpCloud Admin Portal: | ||
|
|
||
| 1. Go to **SSO Applications → Add New Application** | ||
| 2. Select **Custom Application** | ||
| 3. Open **Manage Single Sign-On (SSO)** and choose **Configure SSO with SAML** | ||
|
|
||
|  | ||
|
|
||
|
|
||
| ### 2. Map Required Fields | ||
|
|
||
| Copy the fields from the LocalStack SSO configuration screen into the corresponding JumpCloud fields. | ||
|
|
||
| | JumpCloud field | LocalStack value | | ||
| | ----------------- | ---------------------- | | ||
| | **IdP Entity ID** | Identity provider name | | ||
| | **SP Entity ID** | Identifier (Entity Id) | | ||
| | **ACS URLs** | Callback URL | | ||
| | **Login URL** | Sign Up Portal | | ||
|
|
||
|  | ||
|
|
||
|
|
||
| ### 3. Attribute Mapping | ||
|
|
||
| Add the following user attributes: | ||
|
|
||
| | Service Provider Attribute | JumpCloud Attribute | | ||
| | -------------------------- | ------------------- | | ||
| | email | email | | ||
| | firstname | firstname | | ||
| | lastname | lastname | | ||
|
|
||
|
|
||
| ### 4. Required Options | ||
|
|
||
| Ensure the following options are enabled: | ||
|
|
||
| * **Declare Redirect Endpoint** | ||
| * **Include Group Attribute** with the name: | ||
|
|
||
| ``` | ||
| memberOf | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
|
|
||
| ### 5. Assign Users | ||
|
|
||
| Save the application and assign users or groups who should access LocalStack via SSO. | ||
|
|
||
|
|
||
|
|
||
| ## Attribute mapping | ||
|
Collaborator
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we still need this section, @lukqw? feels duplicate considering the new content? |
||
|
|
||
| These attributes can be defined to automatically map attributes of user entities in your internal IdP to user attributes in the LocalStack platform. | ||
|
|
||