Skip to main content

Provision with Okta

This article describes how to provision users in Sumo Logic with Okta.

Prerequisites

Create an access key

Create an access key. (We recommend using a service account to create the access key.) This access key will provide authorization to provision users from Okta into Sumo Logic.

When you create the access key, copy its access ID and access key values. You will enter these when you set up provisioning to use one of the following authorization methods:

  • Basic authentication
    • Username: Access ID
    • Password: Access key
  • Bearer token
    Use Base64 encoding to Base64 encode <access ID>:<access key>.

Set up SAML

If it is not already set up, set up SAML for single sign-on with Okta in the Sumo Logic instance where you will provision users. This will allow connection to Sumo Logic for provisioning. Copy the single sign-on URL (Assertion Consumer URL) and entity ID from your Sumo Logic SAML configuration. You will use them when you set up provisioning.

ACS and entity ID from Sumo Logic

Configure provisioning with Okta

Step 1: Create the app

  1. Login to Okta as an administrator.
  2. Navigate to Applications > Applications and click Create App Integration.
    Create app integration
  3. Select SAML 2.0 and click Next.
    Select SAML 2.0
  4. Provide a name in the App Name field and click Next.
    App Name field
  5. Enter the Single sign-on URL and Audience URI (SP Entity ID) for your Sumo Logic instance:
    Configure SAML for the app
    Obtain the single sign-on URL (Assertion Consumer URL) and entity ID from the SAML configuration of the Sumo Logic tenant where you will provision users (see Prerequisites).
    ACS and entity ID from Sumo Logic
  6. Click Next and click Finish. The app displays in Okta.
    New app in Okta

Step 2: Set up provisioning

  1. Configure the general settings for the app:
    1. Click the General tab.
    2. Click Edit in the upper-right corner of the App Settings dialog for the app.
    3. For Provisioning, select SCIM.
      SCIM provisioning setting for the app
    4. Click Save. A Provisioning tab appears for the app.
  2. Configure provisioning integration settings:
    1. Click the Provisioning tab.
    2. Click Integration in the left menu, and then click Edit.
    3. SCIM connector base URL. Enter the API endpoint for your deployment for the SCIM User Management APIs using the format <api-endpoint>/v1/scim/. For example, https://api.sumologic.com/api/v1/scim/.
    4. Unique identifier field for users. Enter userName.
    5. Supported provisioning actions. Select:
      • Import New Users and Profile Updates
      • Push New Users
      • Push Profile Updates
    6. Authentication Mode. Select one of these authentication methods and enter your Sumo Logic access key credentials (see Prerequisites):
      • Basic Auth. Basic authentication method. If you choose this method, enter your access key credentials in the fields that appear:
        • Username. Enter your access ID.
        • Password. Enter your access key.
      • HTTP Header. HTTP authorization header method. If you choose this option, use Base64 encoding to encode <access ID>:<access key> and enter the resulting value into the Authorization | Bearer Token field that appears.
        Provisioning tab
    7. Click Test Connector Configuration. The results display:
      Test connector configuration
    8. Click Close on the Test Connector Configuration dialog.
    9. Click Save to save the app provisioning integration settings.
  3. Configure provisioning To App settings:
    1. Click the Provisioning tab.
    2. Click To App in the left menu, and then click Edit.
    3. Select Enable on:
      • Create Users
      • Update User Attributes
      • Deactivate Users
    4. Click Save.
      Provisioning to app

Step 3: Set up roles

  1. Add the Roles attribute to the default Okta user profile:
    1. Navigate to Directory > Profile Editor and select Okta User (default).
      Okta Users tab
    2. In the Profile Editor, click Add Attribute.
      Add Attribute button
    3. Fill out the Add Attribute dialog:
      1. Data type. Select string.
      2. Display name. Enter Roles.
      3. Variable name. Enter roles.
      4. For Enum select Define enumerated list of values and enter the following:
        Display nameValue
        Useruser
        Administratoradministrator
        Analystanalyst
      5. User permission. Select Read-Write.
      6. Click Save.
        Add roles attribute to Okta user
  2. Add the Roles attribute to the provisioning app user profile:
    1. Navigate to Directory > Profile Editor and select the user for the app you created in Step 1.
      Add roles attribute to provisioning app user
    2. In the Profile Editor, click Add Attribute.
      Add Attribute button
  3. Fill out the Add Attribute dialog:
    1. Data type. Select string.
    2. Display name. Enter Roles.
    3. Variable name. Enter roles.
    4. External name. Enter roles.^[primary==true].value.
    5. External namespace. Enter urn:ietf:params:scim:schemas:core:2.0:User.
    6. For Enum select Define enumerated list of values and enter the same roles you added to the Okta user above:
      Display nameValue
      Useruser
      Administratoradministrator
      Analystanalyst
    7. Attribute type. Select Group.
    8. Click Save.
      Add roles attribute to provisioning app user

Step 4: Set up attribute mappings

  1. Navigate to Applications > Applications and select the app you created in Step 1.
    New app in Okta
  2. Edit the attributes pushed from Okta to the provisioning app.
    1. Select To App.
    2. Select the Provisioning tab and scroll down to the <App Name> Attribute Mappings section.
    3. Delete all the attributes except:
      • Username
      • Given name
      • Family name
      • Email
        App attribute mappings
  3. Edit attributes that will be pushed from the provisioning app to Okta.
    1. Select To Okta.
    2. Select the Provisioning tab and scroll down to the Okta Attribute Mappings section.
    3. Delete all the attributes except:
      • User name
      • First name
      • Last name
      • Primary email
        App attribute mappings
  4. Edit the attributes in the app profile.
    1. Navigate to Directory > Profile Editor and select the user for the app you created in Step 1.
      Select app user in profile editor
    2. Delete all the attributes except:
      • User name
      • Given name
      • Family name
      • Primary email
      • Roles
        Delete attributes from profile

Step 5: Assign the app to people

  1. Select the app's Assignments tab.
  2. Select Assign > Assign to people.
    Assign to people
  3. Select a user and click Assign.
    Assign person
  4. Select a role for the user.
    Assign a role to the person
  5. Click Save and go back.
  6. Continue to assign users. When finished, click click Done.
  7. The assigned users are displayed in the Assignments tab.

Step 6: Verify provisioning

As soon as users are assigned to the app, they are provisioned into Sumo Logic.

  1. Verify in Okta:
    1. Navigate to Reports > System Log to see the log.
    2. The log should show that users you added to the app are pushed to Sumo Logic with an event info message like Push new user to external application SUCCESS.
  2. Verify in Sumo Logic:
    1. Log in to the Sumo Logic instance that you linked to the provisioning app in Step 2 when you provided the Assertion Consumer URL and entity ID.
    2. Classic UI. In the main Sumo Logic menu, select Administration > Users and Roles > Users.
      New UI. In the top menu select Administration, and then under Users and Roles select Users. You can also click the Go To... menu at the top of the screen and select Users.
    3. Search for the users provisioned from Okta.
    4. You should see the users listed, and with the role given to when you assigned them to the app in Okta.

Syncing between Okta and Sumo Logic

When you modify the name, email, or role of a user assigned the app in Okta, the changes will be synced to the corresponding user in Sumo Logic.

If you unassign a user from the app in Okta, the corresponding user is deactivated in Sumo Logic. (If you later try to reassign that same user to the app, it will result in an error in Sumo Logic. You must delete the old user from Sumo Logic first so that the user can be provisioned once again from Okta.)

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.