Configuring Okta SSO

You can configure Stellar Cyber to use Okta SSO for Authentication or Authentication and Authorization:

  1. Add Stellar Cyber as a New Application in Okta

  2. Add Attributes for Assigned Users

  3. Assign Okta Users to Authenticate

  4. Activate Multifactor Authentication (MFA)

  5. Configure SSO Authentication in Stellar Cyber

Add Stellar Cyber as a New Application in Okta

To add Stellar Cyber as a new application in Okta:

  1. Log in to Okta and select Applications | Applications.

    The Applications page appears.

    Screen capture of the Applications page in the Okta UI

  2. Select Create App Integration.

    The Create a new app integration wizard appears.

  3. On the Sign-in method page, select SAML 2.0 and then select Next.

    Screen capture of "Create a new app integration" in the Okta UI

  4. On the General Settings tab on the Create SAML Integration page, enter an App name, optionally upload a logo, and then select Next.

    Screen capture of the "General Settings" tab in the Okta UI

  5. On the SAML Settings tab, enter the same value for the Single sign on URL and the Audience URI (SP Entity ID).

    • A global SSO configuration for an on-premises deployment: 

      • https://your.stellar.cyber.address/saml/login/callback

    • A tenant-specific SSO configuration for an on-premises deployment:

      • https://your.stellar.cyber.address/saml/login/callback/cust_id/<tenant-id>

  6. If you are configuring SSO for the whole server, you can enter the following Name/Value pairs. You will use these as attributes later. This configuration does not apply to a tenant-specific SSO configuration.

    Custom Attribute Name

    Source Attribute*

    		 Values (set later) Global SSO

    Tenant-specific SSO
    stellar_scope appuser.stellar_scope root

    partner

    tenant

    		Required for Authorization

    Not applicable

     
    stellar_privilege appuser.stellar_privilege

    super_admin

    platform_admin

    security_admin

    user

    Required for Authorization
    stellar_tenant appuser.stellar_tenant ID number for configured tenant

    (Optional) Specify an individual tenant ID, not name. The ID is available on the Tenants List page.
    stellar_tenant_group appuser.stellar_tenant_group ID number for any configured tenant group

    (Optional) Specify a tenant group ID, not name. This is typically available for use by MSSP users with the Partner role. The Tenant Group ID is displayed on the Tenant Groups page.

    • Values in these fields are case sensitive and syntax matters. Use the exact indicated syntax and verify there aren't any typos.

    • If you have created a custom privilege with spaces or dashes, use an underscore instead. Example: A custom privilege of STML-Super Admin must be entered as STML_Super_Admin.

    Screen capture of the "Configure SAML" tab in the Okta UI

  7. Select Next.

  8. Enter your feedback on the Feedback page and then select Finish.

    The new app is immediately created and activated.

  9. On the Sign On tab of the application you just created, expand More details.

  10. Copy the Sign on URL and download the signing certificate (X.509 certificate).

    These are the Entry Point and certificate that you will use to configure Stellar Cyber.

    Screen capture of the SAML details in the Okta UI.

You must next add the same four attributes that you set for the application to the user profile that will be applied to those who use the application.

Add Attributes for Assigned Users

These attributes let you manage authorization for Stellar Cyber users (not applicable for per-tenant SSO).

To add attributes for users:

  1. Select Directory | Profile Editor.

    The Profile Editor page appears with the Users tab active by default.

  2. Select the profile for the application you created and then Add Attribute.

    The Add Attribute dialog box appears.

  3. Leave the Data type as string, enter a Display name and one of the Variable names you previously created.

    The Display name will be shown ifn the UI instead of the variable name and can be whatever you decide to name it (for, example, "Scope" for the stellar_scope variable). On the other hand, the variable must be entered exactly as you defined it for the application. The following are the four variable names:

    • appuser.stellar_scope

    • appuser.stellar_privilege

    • appuser.stellar_tenant

    • appuser.stellar_tenant_group

  4. Leave the other settings at their default values and select Save and Add Another until you've added all four.

    Screen capture of "Add Attributes" in the Okta UI.

  5. After the last one, select Save .

  6. Save the configuration.

    The new attributes appear at the bottom of the profile editor.

    Screen capture of the Profile Editor in the Okta UI

You must now assign the users whom Okta will authenticate to the application.

Assign Okta Users to Authenticate

Assign users to the application in Okta, and if you are configuring Authentication only, create a corresponding list of users to add to Stellar Cyber. Users are automatically added to Stellar Cyber when you configure SSO to perform both Authentication and Authorization.

Only users who already have accounts in the Okta system can be assigned to the application.

  1. Select Applications | Applications, select the name of the application you created, and then select the Assignments tab.

  2. In the Assign drop-down list, choose Assign to People.

    The assignment dialog box appears, listing user accounts in Okta.

  3. Select Assign for a user that you want Okta to authenticate for access to Stellar Cyber.

    Okta displays the selected user's username and the Display names of the four variables you defined for the user profile that corresponds to this application.

  4. Enter the scope, which can be root, tenant, or partner.

  5. Enter the privilege, which can be super_admin, platform_admin, security_admin, or user.

    You can also enter a custom privilege you defined in Stellar Cyber, under Admin | Role-Based Access Control.

  6. Enter the exact tenant ID as defined in Stellar Cyber.

  7. Enter the exact tenant group ID as defined in Stellar Cyber.

    If you set the scope as root and leave the tenant field empty, the root user will have access to all tenants.

  8. When the scope is partner, enter the exact name or ID of a tenant group as defined in Stellar Cyber.

  9. To assign other users to the application, Save and Go Back.

  10. Repeat the assignment for all users whom you want Okta to authenticate when they access Stellar Cyber.

  11. When finished, select Done.

    Screen capture showing how to assign users to the application.

If you are using two-factor authentication, you must enable a multi-factor authentication option. Otherwise, you can proceed to configuring SSO in Stellar Cyber.

Activate Multifactor Authentication (MFA)

You can optionally enable MFA for your users. The steps here allow you to specify which client you prefer for authentication. It uses the Google Authenticator app.

Configuration of multi-factor authentication in Okta is independent of whether you enable 2FA in Stellar Cyber. It is possible for you require your users to authenticate with MFA in Okta and again with 2FA in Stellar Cyber

  1. Select Security | Authenticators | Add authenticator.

  2. Select Add for Google Authenticator.

    Screen capture of the "Add Authenticator" page in the Okta UI

    Okta automatically adds Google authenticator to the Catch-all Rule, which is applied by default to all applications. The rule requires any two factor types for users to authenticate themselves, such as a password and a code from Google Authenticator.

    Screen capture showing the catch-all rule in the Okta UI

You can now configure SSO authentication in Stellar Cyber.

Configure SSO Authentication in Stellar Cyber

With all your details collected, you are now ready to configure SSO Authentication in Stellar Cyber. The steps below are generally applicable for use for global configuration or per-tenant configuration.

Prepare for Users

  • For Authentication Only SSO: First, manually add all users on the Stellar Cyber Platform. After this manual entry, users can log in with SSO.

  • For Authentication & Authorization SSO: Configure all users through the IdP.

    You enable SSO for all users except the root admin user. The root admin user must always use local authentication (https://your.stellar.cyber.address/login).

  • For Local access (bypass) when SSO is enabled: If Stellar Cyber loses connectivity with your IdP, users configured for SSO cannot log in. As a preventive bypass method, manually create a new user in the Stellar Cyber Platform with root scope and with a valid email address that has "+admin" appended to a valid user name, as follows: <user>+admin@yourorganization.com (joe+admin@yourorganization.com). The user you create must be able to receive a password reset email at <user>@yourorganization.com. This email alias is what Stellar Cyber uses to permit the bypass of an SSO for a local login. After you create this separate user account, the user can log in two ways:

    • An SSO user with <user>@yourorganization.com

      or

    • A local user at https://your.stellar.cyber.address/login using <user>+admin@yourorganization.com

    If SSO is configured, it's recommended to keep an active administrative account in the Stellar Cyber user management.

Enable SSO

  1. Log in to Stellar Cyber and select System | Settings.

  2. In the Authentication Settings section, select SSO (SAML) as the Authentication Method.

  3. Select Metadata URL or Manual Config:

    If you select Metadata URL:

    • Issuer URL: Enter the Stellar Cyber URL.

    • Metadata URL: Paste the URL you copied from the IdP. The URL must begin with either https:// or http://. Different vendors use different names for the Metadata URL:

      Identity Provider

      Term for Metadata URL

      Active Directory Federation Services Federation Metadata URL
      Microsoft Entra ID App Federation Metadata URL
      Okta Metadata URL
      OneLogin Issuer URL
      Rippling Metadata URL

    If you select Manual Config:

    • Issuer URL: Enter the Stellar Cyber URL.

    • Entry Point: Paste the entry point URL you copied from the IdP.

      You must include http:// or https:// before the URLs. Different vendors use different names:

      Identity Provider

      Term for Entry Point URL

      Active Directory Federation Services SAML Endpoint
      Microsoft Entra ID Login URL or SAML-P Sign-on Endpoint
      Okta Sign on URL
      OneLogin SAML 2.0 Endpoint (HTTP)
      Rippling SAML 2.0 Endpoint (HTTP)

    • IDP Certificate: Upload the certificate file you downloaded from the IdP.

  4. Select Allow Clock Skew to allow for system time differences between Stellar Cyber and your IdP. Authentication messages have an expiration. If the system times on Stellar Cyber and your IdP are not synchronized, the messages might expire before they even get to Stellar Cyber. The result is that users cannot log in, because they cannot authenticate.

  5. Choose your IdP setting: Authentication Only or Authentication and Authorization. Note the following:

    • A Global selection of Authentication and Authorization applies to all users (root, partner, and tenant), so the option to change authentication method for a specific tenant is not applicable when the Global method is set to Authentication and Authorization. You cannot log in to Tenant SSO when Global SSO is set to Authentication and Authorization. If you want to use SSO but also allow local users and tenant override, you must set the Global authentication method either to Local or to use the IdP with Authentication Only.

    • Although you can customize SSO configuration on a per-tenant basis, the Authorization capability is only supported at the global level. Overrides you make at the tenant level are for Authentication only, so the toggle for Authentication and Authorization is not offered in the tenant editor.

    • The root tenant must be configured to use either Default (same method as the Global authentication), or Local. It is not supported for configuration with an independent SSO.

    • The authentication method for partners is the same as that for root users. Any authentication overrides for tenant-level users in a tenant group have no effect on the authentication method for the partners who manage the group.

    • Choose Authentication Only for Stellar Cyber to authenticate users from your IdP, but manage scope and privilege locally. If you choose this, you must create the user in Stellar Cyber before adding them to your IdP.

    • Choose Authentication and Authorization for Stellar Cyber to authenticate users from your IdP, along with their scope and level of privilege. You must configure authorization on your IdP before enabling this, otherwise users cannot log in. If you choose this, you do not need to create the user in Stellar Cyber. Stellar Cyber creates the user and assigns scope and privilege based on the information passed from the IdP.

      When Global Settings is configured for Authentication & Authorization, the option to Create new users manually is hidden because new users must come from the IdP source.

  6. Choose a Two-Factor Authentication option that matches your IdP configuration:

    • Off: If you choose this option, Stellar Cyber user accounts are not offered a 2FA option.

    • Mandatory: If you choose this option, all users for every tenant are required to use 2FA when logging in to Stellar Cyber.

    • Optional: If you choose this option:

      • The 2FA option can be customized for individual tenants under System | Tenants.

      • Individual users can choose to enable 2FA under their User Profile in the Stellar Cyber UI.

      • You can enforce 2FA for specific users under System | Users when adding or editing a user

      • The overall Global Settings for 2FA affect authentication for partners and tenant users. For example, if 2FA is Mandatory, all users must use 2FA.

      • Enabling 2FA here is independent of what you have configured on your SSO service. Enabling it here causes a separate 2FA prompt to be displayed upon logging in to Stellar Cyber.

      • The 2FA page from Stellar Cyber refers to use of Google Authenticator, but other authenticator applications also work.

  7. Review your settings and then Submit them.