Login to Honeycomb using SAML/Okta
Team Owners can require SSO logins for their team via a SAML 2.0 Identity Provider, such as Okta.
To configure SAML/Okta for use with Honeycomb, you’ll need a few settings from either side (to provide to the other).
Things you need from Honeycomb:
- The Service Provider Issuer
- The Service Provider ACS URL
- Optional (if your Identity Provider is configured to encrypt SAML assertions): The Service Provider encryption cert
Things you need from your Identity Provider:
- The Identity Provider's Metadata URL
- The Identity Provider Issuer
- The Identity Provider Single-Signon URL
- Optional (if your Identity Provider is configured to require signed authentication requests): The Identity Provider signing cert
If your Identity Provider supports it, you can use a Metadata URL, which is much more convenient. Honeycomb will automatically fetch all the settings it needs, and you won’t have to worry about keeping Honeycomb up-to-date.
The Honeycomb settings are in the SSO configuration UI, and will be team-specific.
Gather settings in Honeycomb 🔗
- Go to your Team Settings page in Honeycomb. If your team is already configured to use Google SSO, you'll have to turn that off first. Otherwise, you can skip to step 2.
- Click “Enable SSO” to bring up the configuration UI.
- Select “Okta/SAML” and click "Next".
- This is where you'll find the Service Provider Settings you'll need for your Identity Provider.
If your Identity Provider doesn’t support a metadata URL, click “Enter settings manually” and the URL entry will be replaced by separate entries for the settings Honeycomb needs.
If a “SAML Assertion” error appears after selecting Convert to SAML SSO Team, please verify the validity of both the Audience and Recipient fields within the Configuration Tab for SSO. The Audience field should have the URL:
https://ui.honeycomb.io/saml/<team_slug> while the Recipient field should have the URL:
Configuring Okta as your Identity Provider 🔗
If you’re using Okta as your Identity Provider, here are the steps to configure support for Honeycomb on the Okta-side.
- Open another browser tab/window (leave the Honeycomb settings up) onto your Okta dashboard
- In the "Applications" tab, click "Add Application" then "Create App".
- In the resulting modal, select "Web" and "SAML 2.0", then click "Create".
- On the next page (“General Settings”), enter a name for your application (this will show up in your application directory), and click "Next".
- On the next page (“SAML Settings”), fill in the general section.
- For the Okta field "Single Sign-on URL": Copy and paste the value from the Honeycomb field "Service Provider ACS URL".
- For the Okta field "Audience URI (SP Entity ID)": Copy and paste the value from the Honeycomb field "Service Provider Issuer/Entity ID"
- Still on the same page, scroll down to “Attribute Statements”, and add the following:
- Click “Next” to go to the next page. There, select the following then click “Finish”.
- You should land on the “Sign On” tab for your new application. This is where you'll find the Metadata URL. Right click on "Identity Provider Metadata" and copy the url, then paste it somewhere for the time being.
Now you can assign users to your application. Do this for at least your own user account now before switching to Honeycomb configuration.
Back to Honeycomb to finish configuring 🔗
Regardless of the Identity Provider you use, the final step involves switching back to Honeycomb.
- Copy and paste the Identity Provider settings into the Honeycomb UI, then click "Convert to SAML SSO Team".
- That should take you through the SAML authentication flow (if using Okta, you'll see an Okta animation.) and, if successful, the team should be converted over to SAML SSO. You will then see a lock screen letting you know that the team now requires SSO, and asking you to link your account. The next time members of your team try to access the team in Honeycomb, provided they have access to Honeycomb in the Identity Provider, they will be able to link their accounts and regain access to Honeycomb.