We use cookies or similar technologies to personalize your online experience and tailor marketing to you. Many of our product features require cookies to function properly. Your use of this site and online product constitutes your consent to these personalization technologies. Read our Privacy Policy to find out more.

X

Login to Honeycomb using SAML/Okta

Team Owners can require SSO logins for their team via a SAML 2.0 Identity Provider, such as Okta.

To configure SAML/Okta for use with Honeycomb, you’ll need a few settings from either side (to provide to the other).

Things you need from Honeycomb:

  1. The Service Provider Issuer
  2. The Service Provider ACS URL
  3. Optional (if your Identity Provider is configured to encrypt SAML assertions): The Service Provider encryption cert

Things you need from your Identity Provider:

  1. The Identity Provider's Metadata URL

OR

  1. The Identity Provider Issuer
  2. The Identity Provider Single-Signon URL
  3. Optional (if your Identity Provider is configured to require signed authentication requests): The Identity Provider signing cert

If your Identity Provider supports it, you can use a Metadata URL, which ismuch more convenient. Honeycomb will automatically fetch all the settings it needs, and you won’t have to worry about keeping Honeycomb up-to-date.

The Honeycomb settings are in the SSO configuration UI, and will be team-specific.

Gather settings in Honeycomb

  1. Go to your Team Settings page in Honeycomb. If your team is already configured to use Google SSO, you’ll have to turn that off first. Otherwise, you can skip to step 2.
  2. turn off sso
  3. Click “Enable SSO” to bring up the configuration UI.
  4. enable sso
  5. Select “Okta/SAML” and click “Next”.
  6. enable sso
  7. This is where you’ll find the Service Provider Settings you’ll need for your Identity Provider.
  8. gather honeycomb settings

If your Identity Provider doesn’t support a metadata URL, click “Enter settings manually” and the URL entry will be replaced by separate entries for the settings Honeycomb needs.

Configuring Okta as your Identity Provider

If you’re using Okta as your Identity Provider, here are the steps to configure support for Honeycomb on the Okta-side.

  1. Open another browser tab/window (leave the Honeycomb settings up) onto your Okta dashboard
  2. In the “Applications” tab, click “Add Application” then “Create App”.
  3. add an application create an application
  4. In the resulting modal, select “Web” and “SAML 2.0”, then click “Create”.
  5. choose SAML 2.0
  6. On the next page (“General Settings”), enter a name for your application (this will show up in your application directory), and click “Next”.
  7. fill in General Settings
  8. On the next page (“SAML Settings”), fill in the general section.

  • For the Okta field “Single Sign-on URL”: Copy and paste the value from the Honeycomb field “Service Provider ACS URL”.
  • For the Okta field “Audience URI (SP Entity ID)”: Copy and paste the value from the Honeycomb field “Service Provider Issuer/Entity ID”

    fill in SAML settings
  1. Still on the same page, scroll down to “Attribute Statements”, and add the following:
  2. fill in attribute statements
  3. Click “Next” to go to the next page. There, select the following then click “Finish”.
  4. choose customer or partner
  5. You should land on the “Sign On” tab for your new application. This is where you’ll find the Metadata URL. Right click on “Identity Provider Metadata” and copy the url, then paste it somewhere for the time being.
  6. sign on tab

Now you can assign users to your application. Do this for at least your own user account now before switching to Honeycomb configuration.

Back to Honeycomb to finish configuring

Regardless of the Identity Provider you use, the final step involves switching back to Honeycomb.

  1. Copy and paste the Identity Provider settings into the Honeycomb UI, then click “Convert to SAML SSO Team”.
  2. That should take you through the SAML authentication flow (if using Okta, you’ll see an Okta animation.) and, if successful, the team should be converted over to SAML SSO. You will then see a lock screen letting you know that the team now requires SSO, and asking you to link your account. The next time members of your team try to access the team in Honeycomb, provided they have access to Honeycomb in the Identity Provider, they will be able to link their accounts and regain access to Honeycomb.
  3. requires-sso