Skip to main content
Version: v4.8

SSO with Okta

With Cyral, you can authenticate database users against your Okta identity provider. Optionally, Cyral can read each user's group memberships in Okta to set the user's data privileges and/or Cyral administrative role. This integration uses Okta as a SAML identity provider (IdP).

In this tutorial, we provide you two options to setup an Okta instance to authenticate database users and Cyral administrators: Terraform or manual configuration.

If you are a Terraform user, you can use our Cyral IdP integration module for Okta to setup both the Okta environment and Cyral control plane and get the integration up and running in a few minutes using a single terraform apply command.

If you don't use Terraform, you can follow the steps in this section.

In Cyral management console, create a SAML integration

  1. Create a new SAML integration: Log in to your Cyral control plane UI, navigate to the Integrations section, find the SAML integration tile, and click Configure.

  2. Create a new SAML connection:

    • Specify a Display Name. This display name is used to identify the IdP to the user when they log in.

    • In Attribute Names in SAML Assertion section, accept the default name for each required SAML attribute (first and last name, email, SSO groups).

    • Enable IdP-initiated login checkbox: When you add any IdP integration in Cyral, your users can log in using the Cyral Access Portal. If selected, this checkbox gives your users a second way to log in: from your IdP portal.

      • Set IdP-initiated login to ON to give users the added option of logging in from your IdP-based portal (for example, an Okta portal).

        tip

        Enabling IdP-initiated login requires a second ACS URL in your SAML app. For details, see SP-initiated and IdP-initiated login.

      • Set IdP-initiated login to OFF to disable IdP-initiated login. Do this if login is not supported by your IdP, or if you don't want to let users log in from your IdP portal.

    • Click Continue

    • On the next screen, download the SP metadata file. You'll need this in the next step to set up your IdP. You are free to close the page. Your SAML Integration will save as a draft, and you will be able to return to it at a later time to finish entering the required configuration values.

In Okta, create an app to represent Cyral

  1. Go to https://login.okta.com/ and log in to your account as an Administrator.

  2. Click on the Admin button on the top right side of the screen.

  3. Click on Applications: Applications and click Create App Integration.

  4. Choose SAML 2.0 as the sign on method, and click Next.

  5. Give the app an App name (for example, "Cyral"), add the Cyral logo as the App logo, and click Next.

  6. On the Configure SAML section, you will need to configure the SAML URLs for the Okta App. Copy the following URLs to Okta from the SP Metadata obtained in the previous section:

    • Single sign on URL: Copy the the AssertionConsumerService URL set as default from the SP metadata and paste it into the Okta App field Single sign on URL. The URL has the following format:
      https://$CYRAL_CONTROL_PLANE_DOMAIN/auth/realms/default/broker/$IDP_INTEGRATION_ID/endpoint/clients/$IDP_INTEGRATION_ID-client
      info

      The definition of the placeholders used in the URL formats above are:

      • $CYRAL_CONTROL_PLANE_DOMAIN is the domain for your Cyral control plane.
      • $IDP_INTEGRATION_ID is a unique alias that identifies the SAML integration, configured in the Cyral management console.
    • Audience URI (SP Entity ID): Copy the Entity ID from the SP metatdata and paste it into the Okta App field Audience URI (SP Entity ID). The URL has the following format:
      https://$CYRAL_CONTROL_PLANE_DOMAIN/auth/realms/default
    • Other Requestable SSO URLs: Under the advanced settings tab, add Other Requestable SSO URLs. Copy the AssertionConsumerService URLs and their indexes into Okta. The two AssertionConsumerService URLs should have the respective formats:
      https://$CYRAL_CONTROL_PLANE_DOMAIN/auth/realms/default/broker/$IDP_INTEGRATION_ID/endpoint/clients/$IDP_INTEGRATION_ID-client
      https://$CYRAL_CONTROL_PLANE_DOMAIN/auth/realms/default/broker/$IDP_INTEGRATION_ID/endpoint

  7. Map the Attribute Statements in order to specify which user data attributes will be sent to Cyral. For each of the following attributes, set the Name format to Unspecified.

    • First Name: This is required. Enter firstName as the Name of the Attribute Statement, and user.firstName as the value.

    • Last Name: This is required. Enter lastName as the Name of the Attribute Statement, and user.lastName as the value.

    • Email: This is required. Enter email as the Name of the Attribute Statement, and user.email as the value.

    NameName FormatValue
    emailUnspecifieduser.email
    firstNameUnspecifieduser.firstName
    lastNameUnspecifieduser.lastName

  8. In the Group Attribute Statements section, specify the groups information that Okta will share with Cyral. Set the name of the groups attribute statement to memberOf. In the filter, specify regex that matches the groups you'll use. For example, if you wish to send group information for the groups named "Mathematicians" and "Scientists," you'll set the groups to Match the regex (Scientists)|(Mathematicians). If you want to send all groups, you can use the regex .*. Click Next once you've specified the needed groups.

    NameName FormatValue
    memberOfUnspecifiedMatches regex: .*

  9. In the next page, we suggest selecting the options:

    • I’m an Okta customer adding an internal app
    • This is an internal app that we have created

  10. Click Finish and you'll be redirected to the page of your newly created Okta App.

  11. On the Sign On section of your Okta App, go to the SAML Signing Certificates and locate an Active certificate. Then, click on the Actions button and click on View IdP metadata, as shown in the screenshot below:

  12. A new page will be opened with the SAML metadata. Copy the URL of this page and use it to finish the integration configuration in the Cyral management console.

Add users and groups to the Okta app

In Okta, you must assign groups, users, or both to the Okta app that represents Cyral. Single sign-on via the Cyral/Okta integration is only available to users who are registered in this way, either individually or as a member of a registered group.

  1. Go to ApplicationsApplications and click on the Okta app that represents Cyral.

  2. In the app page, go to the Assignments section, click the Assign button and do one or both of the following:

    • Click on Assign to People and select the users who can sign on via Cyral
    • Click on Assign to Groups and select the groups whose members can sign on via Cyral.

  3. Save the assignments by clicking in Done. This completes your SSO setup in Okta.

In Cyral management console, complete the SAML integration

In this final step, you will supply the IdP Metadata from Okta to the Cyral management console.

  1. Return to your SAML integration in the Cyral management console. Enter the IdP Metadata URL file you retrieved from Okta.

  2. Click Save.

Your SAML Integration is complete.

Next step

See Set up SSO authentication for users for the steps to activate SSO authentication on each repository that will use it.