Okta Authentication for Humio

Okta Configuration

  1. Browse to the Admin Dashboard by clicking Admin on your main Okta page.

  2. Go to Applications by clicking Applications in the header.

  3. Click Add Application.

  4. Click Create New App.

  5. Choose Web as the Platform and select SAML 2.0 for the Sign on method.

  6. Name your application Humio and upload a logo for your login button

    You can use this logo if you like, or one you provide yourself:

    Click Next to continue.

  7. In the General area of the SAML Settings configuration

    a. Set the Single sign on URL to http(s)://$YOUR_HUMIO_DOMAIN/api/v1/saml/acs

    b. Set the Audience URI (SP Entity ID) http(s)://$YOUR_HUMIO_DOMAIN/api/v1/saml/metadata

    c. Set the Name ID format field to EmailAddress.

    d. Set the Application username field to Email.

  8. Your General SAML Settings should look something like this now

  9. In the Group Attribute Statements area of the SAML Settings configuration, add a single attribute with the Name set to role, the Name format set to Basic, the Filter set to Matches regex and the value set to .*.

  10. Click Next.

  11. On the Feedback step

    a. Choose I’m an Okta customer adding an internal app.

    b. Check This is an internal app that we have created.

  12. Click Finish.

  13. On the next page you should see the details view for the application you just created. On that page, click View Setup Instructions.

  14. The next page will provide you with three key pieces of information you’ll need to set up Humio to work with Okta — the Identity Provider Single Sign-On URL, the Identity Provider Issuer, and the X.509 Certificate as pictured below

    Leave this page open for reference.

  15. Assign the application to any users or groups you want to have access to Humio by following Okta’s instructions.

  16. Okta is now configured to work with Humio and all that’s left is to configure Humio to work with Okta.

Humio Configuration

  1. Add the following to your Humio config file

    AUTHENTICATION_METHOD=saml
    SAML_IDP_SIGN_ON_URL=<Identity Provider Single Sign-On URL>
    SAML_IDP_ENTITY_ID=<Identity Provider Issuer>
    SAML_IDP_CERTIFICATE=<Path to location of Okta X.509 Certificate>
    SAML_GROUP_MEMBERSHIP_ATTRIBUTE=role
    AUTO_UPDATE_GROUP_MEMBERSHIPS_ON_SUCCESSFUL_LOGIN=true
    AUTO_CREATE_USER_ON_SUCCESSFUL_LOGIN=true
    

    Replace the portions wrapped in angle brackets above with the values on the page you saw in Step 14 under the Okta Configuration section.

    SAML_IDP_CERTIFICATE expects the filesystem path to the certificate from Step 14 on the machine running Humio (this certificate must be available on each Humio node).

  2. Restart Humio

    a. Docker — replace the running containers with new ones (note that a simple stop/start will not work — the container must be replaced).

    b. Bare Metal — restart the Humio service (systemctl restart humio*).

  3. Browsing to your Humio domain should now redirect you to Okta for authentication. If you\’re already logged in to Okta, it will automatically authenticate and redirect you back to Humio.

  4. By default, users will only have access to a Sandbox repository. You can control what they have access to using Role Based Authorization (RBAC).

  5. Initially, none of the users will be set as a Root Humio user, so you’ll need to promote the very first one manually through the API as described here.