Team Owners can require SSO logins for their team via a SAML 2.0 Identity Provider, such as Okta.
To configure SAML/Okta for use with Honeycomb, you will need a few settings from either side (to provide to the other).
Things you need from Honeycomb:
The Service Provider Issuer
The Service Provider ACS URL
Optional (if your Identity Provider is configured to encrypt SAML assertions): The Service Provider encryption cert
Things you need from your Identity Provider:
The Identity Provider’s Metadata URL
The Identity Provider Issuer
The Identity Provider Single Sign On (SSO) URL
Optional (if your Identity Provider is configured to require signed authentication requests): The Identity Provider signing certificate
If your Identity Provider supports it, you can use a Metadata URL, which is much more convenient.
Honeycomb will automatically fetch all the settings it needs, and you will not have to worry about keeping Honeycomb up-to-date.
The Honeycomb settings are in the SSO configuration UI, and will be team-specific.
Gather Settings in Honeycomb
Go to your Team Settings page in Honeycomb.
If your team is already configured to use Google SSO, you will have to turn that off first.
Otherwise, you can skip to step 2.
Click “Enable SSO” to bring up the configuration UI.
Select “Okta/SAML” and click “Next”.
This is where you will find the Service Provider Settings you will need for your Identity Provider.
If your Identity Provider does not support a metadata URL, click “Enter settings manually” and the URL entry will be replaced by separate entries for the settings Honeycomb needs.
If a “SAML Assertion” error appears after selecting Convert to SAML SSO Team, please verify the validity of both the Audience and Recipient fields within the Configuration Tab for SSO.
The Audience field should have the URL: https://ui.honeycomb.io/saml/<team_slug> while the Recipient field should have the URL: https://ui.honeycomb.io/auth/callback/saml/<team_slug>.
Configuring Okta as Your Identity Provider
If you are using Okta as your Identity Provider, here are the steps to configure support for Honeycomb on the Okta-side.
Open another browser tab/window (leave the Honeycomb settings up) onto your Okta dashboard
In the “Applications” tab, click “Add Application” then “Create App”.
In the resulting modal, select “Web” and “SAML 2.0”, then click “Create”.
On the next page (“General Settings”), enter a name for your application (this will show up in your application directory), and click “Next”.
On the next page (“SAML Settings”), fill in the general section.
NOTE: For the Okta field “Single Sign-on URL”: Copy and paste the value from the Honeycomb field “Service Provider ACS URL”.
For the Okta field “Audience URI (SP Entity ID)": Copy and paste the value from the Honeycomb field “Service Provider Issuer/Entity ID”
Still on the same page, scroll down to “Attribute Statements”, and add the following:
Click “Next” to go to the next page. There, select the following then click “Finish”.
You should land on the “Sign On” tab for your new application. This is where you will find the Metadata URL. Right click on “Identity Provider Metadata” and copy the url, then paste it somewhere for the time being.
Now you can assign users to your application.
Do this for at least your own user account now before switching to Honeycomb configuration.
Back to Honeycomb to Finish Configuring
Regardless of the Identity Provider you use, the final step involves switching back to Honeycomb.
Copy and paste the Identity Provider settings into the Honeycomb UI, then click “Convert to SAML SSO Team”.
That should take you through the SAML authentication flow (if using Okta, you will see an Okta animation.) and, if successful, the team should be converted over to SAML SSO.
You will then see a lock screen letting you know that the team now requires SSO, and asking you to link your account.
The next time members of your team try to access the team in Honeycomb, provided they have access to Honeycomb in the Identity Provider, they will be able to link their accounts and regain access to Honeycomb.