Login to Honeycomb using SAML/Okta | Honeycomb

Login to Honeycomb using SAML/Okta

This feature is available as part of the Honeycomb Pro and Enterprise plans.

Team Owners can require SSO logins for their team via a SAML 2.0 Identity Provider, such as Okta.

Prerequisites 

To configure SAML/Okta for use with Honeycomb, you will need to know a few settings from both Honeycomb and your Identity Provider.

Honeycomb Prerequisites 

You will need to know the following from Honeycomb:

  • The Service Provider Issuer
  • The Service Provider ACS URL
  • The Service Provider encryption cert - OPTIONAL - needed if your Identity Provider is configured to encrypt SAML assertions

Identity Provider Prerequisites 

You will need to know the following from your Identity Provider:

  • The Identity Provider’s Metadata URL

OR

  • The Identity Provider Issuer
  • The Identity Provider Single Sign On (SSO) URL
  • The Identity Provider signing certificate - OPTIONAL - needed if your Identity Provider is configured to require signed authentication requests

If your Identity Provider supports it, you can use a Metadata URL, which is much more convenient. Honeycomb will automatically fetch all the settings it needs, and you will not have to worry about keeping Honeycomb up-to-date.

The Honeycomb settings are in the SSO configuration UI, and will be team-specific.

Gather Settings in Honeycomb 

  1. Go to your Team Settings page in Honeycomb. If your team is already configured to use Google SSO, you will have to turn that off first. Otherwise, skip to step 2. Turn off SSO
  2. Click “Enable SSO” to bring up the configuration UI. Enable SSO
  3. Select “Okta/SAML” and click “Next”. Enable SSO
  4. This is where you will find the Service Provider Settings you will need for your Identity Provider. Gather Honeycomb settings

If your Identity Provider does not support a Metadata URL, click “Enter settings manually” and the URL entry will be replaced by separate entries for the settings Honeycomb needs.

If a “SAML Assertion” error appears after selecting Convert to SAML SSO Team, please verify the validity of both the Audience and Recipient fields within the Configuration Tab for SSO. The Audience field should have the URL: https://ui.honeycomb.io/saml/<team_slug> while the Recipient field should have the URL: https://ui.honeycomb.io/auth/callback/saml/<team_slug>.

Configure Okta as Your Identity Provider 

If using Okta as your Identity Provider, here are the steps to configure support for Honeycomb on the Okta-side:

  1. Open another browser tab/window (leave the Honeycomb settings up) onto your Okta dashboard
  2. In the “Applications” tab, click “Add Application” then “Create App”. Add an application Create an application
  3. In the resulting modal, select “Web” and “SAML 2.0”, then click “Create”. Choose SAML 2.0
  4. On the next page (“General Settings”), enter a name for your application (this will show up in your application directory), and click “Next”. Fill in General Settings
  5. On the next page (“SAML Settings”), fill in the general section. NOTE: For the Okta field “Single Sign-on URL”: Copy and paste the value from the Honeycomb field “Service Provider ACS URL”. For the Okta field “Audience URI (SP Entity ID)": Copy and paste the value from the Honeycomb field “Service Provider Issuer/Entity ID” Fill in SAML settings
  6. Still on the same page, scroll down to “Attribute Statements”, and add the following: Fill in attribute statements
  7. Click “Next” to go to the next page. There, select the following then click “Finish”. Choose customer or partner
  8. You should land on the “Sign On” tab for your new application. This is where you will find the Metadata URL. Right click on “Identity Provider Metadata” and copy the url, then paste it somewhere for the time being. Sign on tab

Now you can assign users to your application. Do this for at least your own user account now before switching to Honeycomb configuration.

Back to Honeycomb to Finish Configuring 

Regardless of the Identity Provider you use, the final step involves switching back to Honeycomb.

  1. Copy and paste the Identity Provider settings into the Honeycomb UI, then click “Convert to SAML SSO Team”.
  2. That should take you through the SAML authentication flow (if using Okta, you will see an Okta animation.) and, if successful, the team should be converted over to SAML SSO. You will then see a lock screen letting you know that the team now requires SSO, and asking you to link your account. The next time members of your team try to access the team in Honeycomb, provided they have access to Honeycomb in the Identity Provider, they will be able to link their accounts and regain access to Honeycomb. Requires-sso

Troubleshooting 

Users may encounter a message during log-in with instructions to link their accounts.

Image of Honeycomb login with message to login with e-mail and password first, then log in via SAML provider

This message appears when the user has an existing Honeycomb account associated with an e-mail and password, and their Team has configured SAML SSO authentication.

The user must authenticate with their existing Honeycomb account before attempting to use SSO sign-in within the same session.

Steps:

  1. Log into Honeycomb using the existing account’s e-mail and password Image of Honeycomb login screen with prompt for e-mail, password, and an additional SSO for Google button

  2. Then, use the link provided to you by your Identity Provider. The link needs to open in the same browser as the previous Honeycomb log-in.

User may need to clear their cache. If the above steps does not work, please try the same steps in a different browser or in the browser’s Incognito mode.

Did you find what you were looking for?