In Honeycomb, Team Owners can require that their team members authenticate using Single Sign-On (SSO) via an external SAML 2.0 Identity Provider, such as Okta.
When you configure SSO via an external SAML Identity Provider, you must get information generated during the configuration process from both Honeycomb and your Identity Provider. Because you will also need to enter information into both Honeycomb and your Identity Provider’s user interface, you will need to use more than one browser tab.
To successfully complete this guide, you should have an active Okta account.
To begin, enable SSO in Honeycomb, which will allow you to get Honeycomb’s Service Provider settings:
In Honeycomb, navigate to Account > Team Settings, and select the Team Details view.
Locate the Single Sign-On section, which displays any previous SSO configuration.
If your team is already configured to use Google SSO, turn off Google SSO.
Select Enable SSO.
In the SSO provider configuration modal, select SAML/Okta, then select Next.
Locate the settings required by your Identity Provider. You will need:
Leave this browser tab open, so you will have the information you need to configure your Identity Provider later.
Honeycomb generates a unique identifier based on your team name. You will see the identifier appended to the values in the Service Provider Issuer and Service Provider ACS URL fields.
For this example, the team name is “Crewbacca”, so the team’s generated identifier is crewbacca
.
Next, configure your Identity Provider to work with Honeycomb. To do this, you must set up SSO for an application integration in your Identity Provider, and then specify which users should be able to use SSO to log in to your team in Honeycomb.
Set up SSO in your Identity Provider using the Service Provider settings you retrieved from Honeycomb:
Open a new browser tab, and go to your Okta admin console.
In Okta, go to Applications > Applications, and select Create App Integration.
In the sign-in method modal, select SAML 2.0, then select Next.
For General Settings, locate App Name and enter a name for your application, such as in the format Honeycomb [Your Team Name]
, then select Next.
Because you can have multiple Honeycomb teams connected to SSO and separate SSO configurations for each Honeycomb team, be sure the application name you choose clearly defines which team uses this SSO integration. The application name will appear in your application directory after installation.
For this example, our team name is “Crewbacca”, so we name our application Honeycomb Crewbacca
.
For Configure SAML, locate the SAML Settings section, and enter your retrieved Honeycomb setting values according to the following mapping:
Okta Field | Honeycomb Setting Name |
---|---|
Single sign-on URL | Service Provider ACS URL |
Audience URI (SP Entity ID) | Service Provider Issuer/Entity ID |
Locate the Attribute Statements section, and add the following exact values, then select Next:
Email
attribute, enter user.email
–not the actual email address of the user.Name | Name format | Value |
---|---|---|
FirstName |
Unspecified |
user.firstName |
LastName |
Unspecified |
user.lastName |
Email |
Unspecified |
user.email |
For Feedback, select the following values, then select Finish:
Field | Value |
---|---|
Are you a customer or a partner? | I'm an Okta customer adding an internal app |
Contact app vendor | It's required to contact the vendor to enable SAML |
From the application’s SSO settings, locate and copy the Metadata URL. You will need this information to configure Honeycomb.
Although most modern SAML Identity Providers, like Okta, provide a Metadata URL, not all do. If your Identity Provider does not provide a Metadata URL, you must locate the required information to configure Honeycomb. Information you need includes:
Assign users to the Honeycomb application in your Identity Provider:
Finally, configure SSO in Honeycomb using the Identity Provider settings you retrieved from your Identity Provider.
Some Identity Providers, like Okta, provide a metadata URL, which allows Honeycomb to fetch the settings it needs and update them automatically. Other SAML Identity Providers may not provide metadata URLs. If your Identity Provider does not provide a metadata URL, you must configure Honeycomb manually and maintain its configuration settings.
If your Identity Provider provided a metadata URL, like Okta does, automatically configure SSO in Honeycomb:
If your Identity Provider does not provide a metadata URL, you must configure Honeycomb manually with the information that you located from your Identity Provider:
Switch to the browser tab that contains your Honeycomb Service Provider settings, and select Enter settings manually. Notice that the Identity Provider Metadata URL field has been replaced by separate fields corresponding to the settings that Honeycomb requires.
Enter the retrieved Identity Provider setting values:
Select Convert to SAML SSO Team.
https://ui.honeycomb.io/saml/<team-identifier>
, while the Recipient field should contain: https://ui.honeycomb.io/auth/callback/saml/<team-identifier>
.You should see the SAML authentication flow begin. If you configured Okta as your Identity Provider, you see an Okta animation. If successful, your team should now be able to use SAML SSO to authenticate.
After establishing configuration for Okta / SAML SSO, view instructions on How to log in to Honeycomb using SAML SSO.
To explore common issues when configuring access, visit Common Issues with Configuring Honeycomb: SAML SSO.