Team Owners can require SSO logins for their team via a SAML 2.0 Identity Provider, such as Okta.
Prerequisites
To configure SAML/Okta for use with Honeycomb, you will need to know a few settings from both Honeycomb and your Identity Provider.
Honeycomb Prerequisites
You will need to know the following from Honeycomb:
The Service Provider Issuer
The Service Provider ACS URL
The Service Provider encryption cert - OPTIONAL - needed if your Identity Provider is configured to encrypt SAML assertions
Identity Provider Prerequisites
You will need to know the following from your Identity Provider:
The Identity Provider’s Metadata URL
OR
The Identity Provider Issuer
The Identity Provider Single Sign On (SSO) URL
The Identity Provider signing certificate - OPTIONAL - needed if your Identity Provider is configured to require signed authentication requests
If your Identity Provider supports it, you can use a Metadata URL, which is much more convenient.
Honeycomb will automatically fetch all the settings it needs, and you will not have to worry about keeping Honeycomb up-to-date.
The Honeycomb settings are in the SSO configuration UI, and will be team-specific.
Gather Settings in Honeycomb
Go to your Team Settings page in Honeycomb.
If your team is already configured to use Google SSO, you will have to turn that off first.
Otherwise, skip to step 2.
Click “Enable SSO” to bring up the configuration UI.
Select “Okta/SAML” and click “Next”.
This is where you will find the Service Provider Settings you will need for your Identity Provider.
If your Identity Provider does not support a Metadata URL, click “Enter settings manually” and the URL entry will be replaced by separate entries for the settings Honeycomb needs.
If a “SAML Assertion” error appears after selecting Convert to SAML SSO Team, please verify the validity of both the Audience and Recipient fields within the Configuration Tab for SSO.
The Audience field should have the URL: https://ui.honeycomb.io/saml/<team_slug> while the Recipient field should have the URL: https://ui.honeycomb.io/auth/callback/saml/<team_slug>.
Configure Okta as Your Identity Provider
If using Okta as your Identity Provider, here are the steps to configure support for Honeycomb on the Okta-side:
Open another browser tab/window (leave the Honeycomb settings up) onto your Okta dashboard
In the “Applications” tab, click “Add Application” then “Create App”.
In the resulting modal, select “Web” and “SAML 2.0”, then click “Create”.
On the next page (“General Settings”), enter a name for your application (this will show up in your application directory), and click “Next”.
On the next page (“SAML Settings”), fill in the general section.
NOTE: For the Okta field “Single Sign-on URL”: Copy and paste the value from the Honeycomb field “Service Provider ACS URL”.
For the Okta field “Audience URI (SP Entity ID)": Copy and paste the value from the Honeycomb field “Service Provider Issuer/Entity ID”
Still on the same page, scroll down to “Attribute Statements”, and add the following:
Click “Next” to go to the next page. There, select the following then click “Finish”.
You should land on the “Sign On” tab for your new application. This is where you will find the Metadata URL. Right click on “Identity Provider Metadata” and copy the url, then paste it somewhere for the time being.
Now you can assign users to your application.
Do this for at least your own user account now before switching to Honeycomb configuration.
Back to Honeycomb to Finish Configuring
Regardless of the Identity Provider you use, the final step involves switching back to Honeycomb.
Copy and paste the Identity Provider settings into the Honeycomb UI, then click “Convert to SAML SSO Team”.
That should take you through the SAML authentication flow (if using Okta, you will see an Okta animation.) and, if successful, the team should be converted over to SAML SSO.
You will then see a lock screen letting you know that the team now requires SSO, and asking you to link your account.
The next time members of your team try to access the team in Honeycomb, provided they have access to Honeycomb in the Identity Provider, they will be able to link their accounts and regain access to Honeycomb.
Troubleshooting
Link Existing Honeycomb Account to SSO
Users may encounter a message during log-in with instructions to link their accounts.
This message appears when the user has an existing Honeycomb account associated with an e-mail and password, and their Team has configured SAML SSO authentication.
The user must authenticate with their existing Honeycomb account before attempting to use SSO sign-in within the same session.
Steps:
Log into Honeycomb using the existing account’s e-mail and password
Then, use the link provided to you by your Identity Provider.
The link needs to open in the same browser as the previous Honeycomb log-in.
User may need to clear their cache.
If the above steps does not work, please try the same steps in a different browser or in the browser’s Incognito mode.