Provision with Okta

This article describes how to provision users in Sumo Logic with Okta.

Prerequisites

Create an access key

Create an access key. (We recommend using a service account to create the access key.) This access key will provide authorization to provision users from Okta into Sumo Logic.

When you create the access key, copy its access ID and access key values. You will enter these when you set up provisioning to use one of the following authorization methods:

Basic authentication
- Username: Access ID
- Password: Access key
Bearer token
Use Base64 encoding to Base64 encode <access ID>:<access key>.

Set up SAML

If it is not already set up, set up SAML for single sign-on with Okta in the Sumo Logic instance where you will provision users. This will allow connection to Sumo Logic for provisioning. Copy the single sign-on URL (Assertion Consumer URL) and entity ID from your Sumo Logic SAML configuration. You will use them when you set up provisioning.

Configure provisioning with Okta

Step 1: Create the app

Login to Okta as an administrator.
Navigate to Applications > Applications and click Create App Integration.
Select SAML 2.0 and click Next.
Provide a name in the App Name field and click Next.
Enter the Single sign-on URL and Audience URI (SP Entity ID) for your Sumo Logic instance:

Obtain the single sign-on URL (Assertion Consumer URL) and entity ID from the SAML configuration of the Sumo Logic tenant where you will provision users (see Prerequisites).
Click Next and click Finish. The app displays in Okta.

Step 2: Set up provisioning

Configure the general settings for the app:
1. Click the General tab.
2. Click Edit in the upper-right corner of the App Settings dialog for the app.
3. For Provisioning, select SCIM.
4. Click Save. A Provisioning tab appears for the app.
Configure provisioning integration settings:
1. Click the Provisioning tab.
2. Click Integration in the left menu, and then click Edit.
3. SCIM connector base URL. Enter the API endpoint for your deployment for the SCIM User Management APIs using the format <api-endpoint>/v1/scim/. For example, https://api.sumologic.com/api/v1/scim/.
4. Unique identifier field for users. Enter userName.
5. Supported provisioning actions. Select:
  - Import New Users and Profile Updates
  - Push New Users
  - Push Profile Updates
6. Authentication Mode. Select one of these authentication methods and enter your Sumo Logic access key credentials (see Prerequisites):
  - Basic Auth. Basic authentication method. If you choose this method, enter your access key credentials in the fields that appear:
    - Username. Enter your access ID.
    - Password. Enter your access key.
  - HTTP Header. HTTP authorization header method. If you choose this option, use Base64 encoding to encode <access ID>:<access key> and enter the resulting value into the Authorization | Bearer Token field that appears.
7. Click Test Connector Configuration. The results display:
8. Click Close on the Test Connector Configuration dialog.
9. Click Save to save the app provisioning integration settings.
Configure provisioning To App settings:
1. Click the Provisioning tab.
2. Click To App in the left menu, and then click Edit.
3. Select Enable on:
  - Create Users
  - Update User Attributes
  - Deactivate Users
4. Click Save.

Step 3: Set up roles

Add the Roles attribute to the default Okta user profile:
1. Navigate to Directory > Profile Editor and select Okta User (default).
2. In the Profile Editor, click Add Attribute.
3. Fill out the Add Attribute dialog:
  1. Data type. Select string.
  2. Display name. Enter Roles.
  3. Variable name. Enter roles.
  4. For Enum select Define enumerated list of values and enter the following:
    Display name Value
    User user
    Administrator administrator
    Analyst analyst
  5. User permission. Select Read-Write.
  6. Click Save.
Add the Roles attribute to the provisioning app user profile:
1. Navigate to Directory > Profile Editor and select the user for the app you created in Step 1.
2. In the Profile Editor, click Add Attribute.
Fill out the Add Attribute dialog:
1. Data type. Select string.
2. Display name. Enter Roles.
3. Variable name. Enter roles.
4. External name. Enter roles.^[primary==true].value.
5. External namespace. Enter urn:ietf:params:scim:schemas:core:2.0:User.
6. For Enum select Define enumerated list of values and enter the same roles you added to the Okta user above:
  Display name Value
  User user
  Administrator administrator
  Analyst analyst
7. Attribute type. Select Group.
8. Click Save.

Display name	Value
`User`	`user`
`Administrator`	`administrator`
`Analyst`	`analyst`

Display name	Value
`User`	`user`
`Administrator`	`administrator`
`Analyst`	`analyst`

Step 4: Set up attribute mappings

Navigate to Applications > Applications and select the app you created in Step 1.
Edit the attributes pushed from Okta to the provisioning app.
1. Select To App.
2. Select the Provisioning tab and scroll down to the <App Name> Attribute Mappings section.
3. Delete all the attributes except:
  - Username
  - Given name
  - Family name
  - Email
Edit attributes that will be pushed from the provisioning app to Okta.
1. Select To Okta.
2. Select the Provisioning tab and scroll down to the Okta Attribute Mappings section.
3. Delete all the attributes except:
  - User name
  - First name
  - Last name
  - Primary email
Edit the attributes in the app profile.
1. Navigate to Directory > Profile Editor and select the user for the app you created in Step 1.
2. Delete all the attributes except:
  - User name
  - Given name
  - Family name
  - Primary email
  - Roles

Step 5: Assign the app to people

Select the app's Assignments tab.
Select Assign > Assign to people.
Select a user and click Assign.
Select a role for the user.
Click Save and go back.
Continue to assign users. When finished, click click Done.
The assigned users are displayed in the Assignments tab.

Step 6: Verify provisioning

As soon as users are assigned to the app, they are provisioned into Sumo Logic.

Verify in Okta:
1. Navigate to Reports > System Log to see the log.
2. The log should show that users you added to the app are pushed to Sumo Logic with an event info message like Push new user to external application SUCCESS.
Verify in Sumo Logic:
1. Log in to the Sumo Logic instance that you linked to the provisioning app in Step 2 when you provided the Assertion Consumer URL and entity ID.
2. Classic UI. In the main Sumo Logic menu, select Administration > Users and Roles > Users.
  New UI. In the top menu select Administration, and then under Users and Roles select Users. You can also click the Go To... menu at the top of the screen and select Users.
3. Search for the users provisioned from Okta.
4. You should see the users listed, and with the role given to when you assigned them to the app in Okta.

Syncing between Okta and Sumo Logic

When you modify the name, email, or role of a user assigned the app in Okta, the changes will be synced to the corresponding user in Sumo Logic.

If you unassign a user from the app in Okta, the corresponding user is deactivated in Sumo Logic. (If you later try to reassign that same user to the app, it will result in an error in Sumo Logic. You must delete the old user from Sumo Logic first so that the user can be provisioned once again from Okta.)

Prerequisites​

Create an access key​

Set up SAML​

Configure provisioning with Okta​

Step 1: Create the app​

Step 2: Set up provisioning​

Step 3: Set up roles​

Step 4: Set up attribute mappings​

Step 5: Assign the app to people​

Step 6: Verify provisioning​

Syncing between Okta and Sumo Logic​