Link your Identity Provider - Okta

Learn how to integrate your company's Okta implementation for federated login access into Stax.

Article Tags
On This Page
Before You BeginPrepare the SAML URIsPrepare the Okta GroupsConfigure OktaConfigure Stax to allow Okta Sign-InHow Do You Know This Worked?See also

Stax integrates with your corporate identity using SAML. This allows you to bring your own identities and identity management controls to the Stax platform. Okta is a cloud identity platform that works well with Stax.

This guidance assumes your AWS accounts are Stax-managed. If you only have the Cost & Compliance module, review this article instead.

Before You Begin

  • Estimated time to complete: 1 hour
  • Ensure you are a member of the Admin role in your Stax tenancy
  • You need permissions to administer the Okta environment

Prepare the SAML URIs

First, you'll need to determine some URIs. If you're not sure how to get these, simply raise a case in the Stax Console and we'll help you out.

Your <customer-alias> is the same as you enter at the Stax Console login page shown here. Below, it is mega-corp.

Customer Alias

Your <installation-id> can be found by reviewing the URL of the login page after you enter your customer alias, as shown here. It's between your customer alias and in the URL. Below, it is au1.

Installation ID

Once you've determined your <customer-alias> and <installation-id>, you can form the URIs required for SAML setup:

Prepare the Okta Groups

Stax has four roles; admin, Cost & Compliance admin, user, and readonly. You can use Okta to specify these roles at login time. For this purpose, you'll need to create and populate four groups. You can create these groups in your on-premises directory or natively within Okta.

In the examples below, we'll use the following four group names:

  • Stax Admins
  • Stax Cost & Compliance Admins
  • Stax Users
  • Stax Read Only Users

See Stax Roles - Stax Permissions for more information on Stax roles.

Configure Okta

Once you've prepared the URIs and AD Groups, you can configure Okta.

  1. Log in to the Okta Admin console. Choose Applications from the top nav bar to open the Applications page

  2. Click Add Application then Create New App to open the Create a New Application Integration dialog. Select Web in the Platform drop-down list, and SAML 2.0 as the Sign on method, then click Create

    Create a New Application Integration
  3. On the General Settings page, give the app a name such as Stax, then click Next

    General Settings
  4. On the Configure SAML page, complete the SAML configuration for the new application:

    Single sign on URLThe SAML 2.0 Service URL you determined earlier
    Use this for Recipient URL and Destination URLChecked
    Allow this app to request other SSO URLsUnchecked
    Audience URI (SP Entity ID)The entity ID you determined earlier
    Default RelayState(blank)
    Name ID formatPersistent
    Application usernameEmail
    Update application username onCreate and update
    Attribute Statements
    (1) Nameemailaddress
    (1) Name formatUnspecified
    (2) NamefirstName
    (2) Name formatUnspecified
    (2) Valueuser.firstName
    (3) NamelastName
    (3) Name formatUnspecified
    (3) Valueuser.lastName
    SAML Settings
  5. Click Next to open the Feedback page, which you may complete then Finish

  6. Next, you need to configure Okta to send the user's Stax Role across to Stax. From the top nav bar's Directory menu, choose Profile Editor to open the Profile Editor page.

    SAML Settings
  7. Choose Profile next to Stax User to edit the profile settings for the new application

    User Profile
  8. On the Profile Editor page, under Attributes, choose + Add Attribute to open the Add Attribute dialog

    Add Attribute
  9. Enter the following values to create the JumaRole attribute:

    Data typestring
    Display NameStax Role
    Variable NameJumaRole
    DescriptionRole to send to Stax
    **Attribute members
    (1) Display NameAdmin
    (1) Valuecustomer_admin
    (2) Display NameCost & Compliance Admin
    (2) Valuecustomer_costadmin
    (3) Display NameUser
    (3) Valuecustomer_user
    (4) Display NameRead Only
    (4) Valuecustomer_readonly
    Attribute lengthBetween
    Attribute requiredYes

    Choose Save to complete adding the attribute

    JumaRole attribute
  10. Next, you need to assign the role to your four user groups. From the top nav bar, on the Applications menu, open Applications and choose Stax from the list. Choose the Assignments tab. Click Assign and then Assign to Groups to open the Assign Stax to Groups dialog

    JumaRole attribute
  11. Find the four Stax groups you created in the list. Next to each, click Assign and choose the appropriate level of permissions for the group

    Assign Stax to Groups
    Assign Role to Group

    Once you have assigned all the appropriate group/role relationships, choose Done to close the dialog

  12. Finally, download your Okta metadata to provide to us. To get this, from the Applications menu, choose Applications. Open the Stax application configuration and choose the Sign On tab. Click the Identity Provider metadata link to download the metadata file and save it for later

    Download IdP Metadata

Configure Stax to allow Okta Sign-In

When you're ready to have Stax configured, you simply need to supply us with your Okta metadata, and we'll do the rest for you.

How Do You Know This Worked?

Next time you navigate to your Stax Console login page, on the top, you'll see a new Continue with Corporate ID button. Clicking this button will take you to your Okta sign-in page. Log in on the Okta page and you'll be signed into your Stax tenancy.

Choose Your Login Provider

See also