1. Docs
2. SAML/Okta SSO

Log In to Honeycomb using SAML/Okta SSO

Table of Contents

In Honeycomb, Team Owners can require that their team members authenticate using Single Sign-On (SSO) via an external SAML 2.0 Identity Provider, such as Okta.

When you configure SSO via an external SAML Identity Provider, you must get information generated during the configuration process from both Honeycomb and your Identity Provider. Because you will also need to enter information into both Honeycomb and your Identity Provider’s user interface, you will need to use more than one browser tab.

Before You Begin 

To successfully complete this guide, you should have an active Okta account.

Enable SSO in Honeycomb 

To begin, enable SSO in Honeycomb, which will allow you to get Honeycomb’s Service Provider settings:

1. In Honeycomb, navigate to Account > Team Settings, and select the Team Details view.

2. Locate the Single Sign-On section, which displays any previous SSO configuration.

3. If your team is already configured to use Google SSO, turn off Google SSO.

4. Select Enable SSO.

5. In the SSO provider configuration modal, select SAML/Okta, then select Next.

6. Locate the settings required by your Identity Provider. Information you will need includes:

   • Service Provider Issuer
   • Service Provider ACS URL
   • Service Provider Certificate (optional, used when your Identity Provider requires encrypted SAML assertions or signed authentication requests)

   Leave this browser tab open, so you will have the information you need to configure your Identity Provider.

   
   Note

   Honeycomb generates a unique identifier based on your team name. You will see the identifier appended to the values in the Service Provider Issuer and Service Provider ACS URL fields. For this example, the team name is Crewbacca, so the team’s generated identifier is crewbacca.

Configure Your Identity Provider 

Next, configure your Identity Provider to work with Honeycomb. To do this, you must set up SSO for an application integration in your Identity Provider, and then specify which users should be able to use SSO to log in to your team in Honeycomb.

Set Up SSO 

Set up SSO in your Identity Provider using the Service Provider settings you retrieved from Honeycomb:

1. Open a new browser tab, and go to your Okta admin console.

2. In Okta, go to Applications > Applications, and select Create App Integration.

3. In the sign-in method modal, select SAML 2.0, then select Next.

4. For General Settings, locate App Name and enter a name for your application, such as in the format Honeycomb [Your Team Name], then select Next.

   Tip

   Because you can have multiple Honeycomb teams connected to SSO and separate SSO configurations for each Honeycomb team, be sure the application name you choose clearly defines which team uses this SSO integration. The application name will appear in your application directory after installation.

   For this example, our team name is Crewbacca, so we name our application Honeycomb Crewbacca.

5. For Configure SAML, locate the SAML Settings section, and enter your retrieved Honeycomb setting values according to the following mapping:

   Okta Field	Honeycomb Setting Name
   Single sign-on URL	Service Provider ACS URL
   Audience URI (SP Entity ID)	Service Provider Issuer/Entity ID

   

6. Locate the Attribute Statements section, and add the following exact values, then select Next:

   Name	Name format	Value
   FirstName	Unspecified	user.firstName
   LastName	Unspecified	user.lastName
   Email	Unspecified	user.email

   

7. For Feedback, select the following values, then select Finish:

   Field	Value
   Are you a customer or a partner?	I'm an Okta customer adding an internal app
   Contact app vendor	It's required to contact the vendor to enable SAML

8. From the application’s SSO settings, locate and copy the Metadata URL. You will need this information to configure Honeycomb.

   Note

   Although most modern SAML Identity Providers, like Okta, provide a Metadata URL, not all do. If your Identity Provider does not provide a Metadata URL, you must locate the required information to configure Honeycomb. Information you need includes:

   • Identity Provider Issuer
   • Identity Provider SSO URL
   • Identity Provider Certificate (optional, used when your Identity Provider requires signed authentication requests)

Assign Users 

Assign users to the Honeycomb application in your Identity Provider:

1. Go to your new application, and select the Assignments view.
2. Select Assign > Assign to People or Assign to Groups, depending on whether you want to allow individual users or specific groups to log in to your team in Honeycomb.
3. In the group assignment modal, search for and select Assign next to the individual users or specific groups you want to allow to log in to your team in Honeycomb using SSO, then select Done. Remember to assign your own account to the application.
4. Confirm that the Assignments view reflects your selections.

Configure Honeycomb 

Finally, configure SSO in Honeycomb using the Identity Provider settings you retrieved from your Identity Provider.

Some Identity Providers, like Okta, provide a metadata URL, which allows Honeycomb to fetch the settings it needs and update them automatically. Other SAML Identity Providers may not provide metadata URLs. If your Identity Provider does not provide a metadata URL, you must configure Honeycomb manually and maintain its configuration settings.

You should see the SAML authentication flow begin. If you configured Okta as your Identity Provider, you see an Okta animation. If successful, your team should now be able to use SAML SSO to authenticate.

Link Your Honeycomb Accounts 

Once you have successfully converted your team to SAML SSO, users who already had a Honeycomb account with email address/password as credentials receive a lock screen that asks them to link their accounts. If you have an existing Honeycomb account with these credentials, you must link your old account to your new one. To do this, authenticate with your existing Honeycomb account before attempting to log in with SSO within the same session:

1. Log in to Honeycomb using your existing account’s email and password.
2. In the same browser, go to the SSO URL provided by your Identity Provider.

When other members of your team who had an existing Honeycomb account with email address/password as credentials try to access your team in Honeycomb, they will also receive a lock screen that asks them to link their accounts. As long as you assigned them to the Honeycomb application integration in your Identity Provider, they will be able to link their accounts and regain access to Honeycomb.

Troubleshooting 

You receive a SAML Assertion error when converting to a SAML SSO team in Honeycomb 

If a “SAML Assertion” error appears, verify that your SSO Identity Provider Audience and Recipient fields match your Honeycomb team settings SSO Service Provider Issuer/Entity ID and Service Provider ACS URL fields. The Audience field should contain: https://ui.honeycomb.io/saml/<team-identifier>, while the Recipient field should contain: https://ui.honeycomb.io/auth/callback/saml/<team-identifier>.

Team members encounter a message instructing them to link their accounts 

When logging in to Honeycomb, users may encounter a message containing instructions to link their accounts:

This message appears when the user’s team has configured SAML SSO authentication and the user already has a Honeycomb account associated with email address/password as credentials.

To solve this issue, the user must link their Honeycomb accounts. To do this, they must authenticate with their existing Honeycomb account before attempting to use SSO to sign in, all within the same session:

1. Log in to Honeycomb using the existing account’s email and password.
2. In the same browser, go to the SSO URL provided by your Identity Provider.

Did you find what you were looking for?

Yes No

---

If you have questions, join our Pollinators Community Slack!
Pro/Enterprise users can visit Honeycomb Support or email support@honeycomb.io.

Submit