Breadcrumbs

Configure SSO with Okta

This section explains how to configure Web Console Single Sign-On using your Okta SAML app.

The Okta admin UI changes periodically, and the official Okta SAML 2.0 setup documentation is found here:
https://help.okta.com/en/prod/Content/Topics/Apps/Apps_App_Integration_Wizard_SAML.htm


Create SAML App in Okta

  1. Log in to the Okta Admin Portal.

  2. In the top-right corner, click Admin.

  3. Click the Applications tab.

  4. Click Add Application.

  5. In the top-right corner, click Create New App.
    Create New Application Integration window appears. Enter the following parameters:

    Name

    Setting

    Platform

    Web

    Sign on method

    SAML 2.0


  6. Click Create.
    The Create SAML Integration page appears.

  7. In the General Settings tab, enter your App Name (for example, LogRhythm Web Console - LRXM01 or LogRhythm WC - Boulder).

  8. Click Next.

  9. In the General section of the Configure SAML tab, enter the following parameters:
    Single sign on URL. https://<FQDN_or_Hostname_or_IP_of_WebConsole>:8443/saml Example Single sign on URLshttps://lrwebconsole-denver.companyxyz.com:8443/samlhttps://lrwebconsole-denver:8443/samlhttps://10.51.19.217:8443/samlIf your Web Console uses a port other than the default of 8443, enter your customized port number instead of 8443. For more information, see LogRhythm Web UI. Check boxes:NameChecked/Not checkedUse this for Recipient URL and Destination URLCheckedAllow this app to request other SSO URLsNot checkedAudience URl (SP Entity ID). https://<FQDN_or_Hostname_or_IP_of_WebConsole> Example Audience URlshttps://lrwebconsole-denver.companyxyz.comhttps://lrwebconsole-denverhttps://10.51.19.217 Default Relay State. Leave blankName ID format. EmailAddressApplication username. Email

  10. In the Attribute Statements section of the Configure SAML tab, enter the following parameters:

    Name

    Name format

    Value

    firstName

    Unspecified

    user.firstName

    lastName

    Unspecified

    user.lastName


  11. In the Group Attribute Statements section of the Configure SAML tab, do not enter any values:

    Name

    Name format

    Filter

    Leave blank

    Leave blank

    Leave blank


  12. Click Next.

  13. In the Feedback tab, select the following statements:Are you a customer or partner. I'm an Okta customer adding an internal appApp type. This is an internal app that we have created

  14. Click Finish.

  15. On the Application page for the app you just created, click the Assignments tab.Use the People or Groups filters to locate and select the user(s) or groups you want to have access to the Web Console SSO app.Click Assign.

  16. Your Okta SSO app configuration is now complete.


Gather IdP SSO Configuration Data

  1. Log in to the Okta Admin Portal.

  2. In the top-right corner, click Admin.

  3. Click the Applications tab.

  4. Choose the SAML app you have created for LogRhythm SSO.

  5. Click the Sign On tab.

  6. Under Sign On Methods, click View Setup Instructions.

  7. Copy the values in the "Identity Provider Single Sign-On URL" and "X.509 Certificate" fields, and paste the values to a temporary location.

    You can ignore the Optional IdP Metadata section.



Enable Single-Sign On in the LogRhythm Web Console (Admins Only)

  1. Log in to the Web Console with an administrator account or with an account that has "SSO Management (Web Console)" and "Manage User Profiles" permissions.

  2. In the upper-right corner, click the Administration drop-down icon, then click Single Sign-On.
    The Single Sign-On Configuration menu appears.

  3. Click the Single Sign-On Enabled button. The menu expands to reveal configuration fields.

  4. Enter the following parameters:

    If you want to choose a User Profile that is specific to newly-created SSO users, consider creating the desired User Profile in the SIEM before this step.


    Name

    Example Format

    Web Console Callback URL

    https://<FQDN_or_Hostname_or_IP_of_WebConsole>:8443/saml

    Web Console Identifier (Entity ID)

    https://<FQDN_or_Hostname_or_IP_of_WebConsole>

    IdP Entry Point

    Identity Provider Single Sign-On URL copied from Okta.

    IdP Certificate

    X.509 Certificate copied from Okta.

    Default User Profile

    The User Profile to be assigned via User Auto-Provisioning to new SSO users.


    If you do not see all of the expected User Profiles in the drop down menu, contact your SIEM administrator to make sure they have enabled your Manage User Profiles and Single Sign-On Management (Web Console) permissions.


  5. Click Save

    While saving, your Web Console will temporarily disconnect and you will see either Reconnecting or Disconnected status in the upper-right corner.

    Refresh your browser if prompted to do so.

  6. After your Web Console refreshes and the status shows Connected, your SSO for the Web Console is enabled.

  7. In the upper-right corner, click the User drop-down icon, and then click Logout