Configure SAML single sign-on with Okta 4
Assign the ExtraHop system to Okta groups
We assume that you already have users and groups configured in Okta. If you do not, refer to the Okta
documentation to add new users and groups.
1. From the Directory menu, select Groups.
2. Click the group name.
3. Click Manage Apps.
4. Locate the name of the application you configured for the ExtraHop system and click Assign.
5. Click Done.
Add identity provider information on the ExtraHop system
1. Return to the Administration settings on the ExtraHop system. Close the Service Provider metadata
window if it is still open, and then click Add Identity Provider.
2. Type a unique name in the Provider Name field. This name appears on the ExtraHop system login page.
3. From Okta, copy the Identity Provider Single Sign-On URL and paste into the SSO URL field on the
ExtraHop system.
4. From Okta, copy the Identity Provider Issuer URL and paste into the Entity ID field on the ExtraHop
system.
5. From Okta, copy the X.509 certificate and paste into the Public Certificate field on the ExtraHop
system.
6. Choose how you would like to provision users from one of the following options.
• Select Auto-provision users to create a new remote SAML user account on the ExtraHop system
when the user first logs in.
• Clear the Auto-provision users checkbox and manually configure new remote users through the
ExtraHop Administration settings or REST API. Access and privilege levels are determined by the
user configuration in Okta.
7. The Enable this identity provider option is selected by default and allows users to log in to the
ExtraHop system. To prevent users from logging in, clear the checkbox.
8. Configure user privilege attributes. You must configure the following set of user attributes before users
can log in to the ExtraHop system through an identity provider. Values are user-definable; however,
they must match the attribute names that are included in the SAML response from your identity
provider. Values are not case sensitive and can include spaces. For more information about privilege
levels, see Users and user groups .
Important: You must specify the attribute name and configure at least one attribute value
other than No access to enable users to log in.
In the examples below, the Attribute Name field is the group attribute configured when creating the
ExtraHop application on the identity provider and the Attribute Values are the names of your user
groups. If a user is a member of more than one group, the user is granted the most permissive access
privilege.