How-to work with Okta SAML
This article shows how to set up SAML authentication in Checkmk with Okta for user sign-in.
LAST TESTED ON CHECKMK 2.4.0P7
Depending on your Okta configuration or version, certain details may vary. For the most accurate and up-to-date information, consult the official Okta documentation.
Related documentation
Overview
This guide walks you through the process of setting up SAML authentication in Checkmk with Okta as the identity provider. It covers configuration steps in both Checkmk and Okta, such as creating the SAML connection, exchanging metadata, and configuring user attribute mappings, to enable users to log in to Checkmk using their Okta credentials.
Step-by-step guide
These are preliminary steps to set up SAML authentication with Okta as the provider. This example covers a basic configuration to get started and may require further refinement for production use.
Create a new SAML authentication connection in Checkmk
Click Setup → Users → SAML Connection → SAML Authentication → Add Connection.
In the Connection section, select URL for Identity Provider metadata. Enter a placeholder domain for now, this is only to allow the page to save.
Enter the FQDN (Fully Qualified Domain Name) of your Checkmk instance. Ensure that HTTPS is enabled, and the site is publicly accessible.
In the Users section, use the following schema URI to set the email address as the User ID attribute:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Save the connection.
Click the Edit icon (pencil) next to the new connection.
Checkmk generates the connection information that you will use to configure Okta.
Create a new App Integration in Okta
Log in to the Okta Admin Console at https://admin.okta.com.
Click on Applications → Applications.
Click on Create App Integration.
Select SAML 2.0.
Enter a name in the App name field.
In Checkmk, find the Assertion Consumer Service endpoint in your saved SAML connector and enter it as the Single Sign-On URL in your Okta app.
Via CheckmkEnter the Entity ID value from Checkmk into the Audience URI (SP Entity ID) field in Okta.
Enter the Metadata endpoint value from Checkmk into the Default RelayState field in Okta.
Set the Name ID format dropdown to EmailAddress.
Set the Application username dropdown to Okta username.
Set the Update application username on dropdown to Create and update.
Required URLsSingle Sign-on URL: https://monitor.example.com/cmk/check_mk/saml_acs.py?acs
Audience URI: https://monitor.example.com/cmk/check_mk/saml_metadata.py
Default RelayState: https://monitor.example.com/cmk/check_mk/saml_metadata.py?RelayState=okta
Go to Applications → Applications → Click on the application you made → General tab → Click Edit next to SAML Settings.
Under Attribute Statements, add one with the following settings:
Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Name format: URI reference
Value:
user.email
Assign users to the application in Okta by navigating to the Assignments tab of your app and selecting one or more users or groups.
Completing configuration
Click Setup → Users → SAML Connection → SAML Authentication → Edit the Connection
In Okta, go to the Sign On tab of your application, copy the Metadata URL, and paste it into the field that contains the placeholder under the Identity Provider metadata key in Checkmk.
Save the configuration and Activate changes.
Sign out of Checkmk.
At the sign-in screen, select Sign in with Okta and enter the Okta credentials you configured.
Configuring and syncing contact groups and roles
By integrating Okta groups with Checkmk, users can be automatically assigned the appropriate contact groups and roles based on their group membership in Okta. This eliminates the need for manual user role or contact group configuration after the initial setup.
Create and assign Okta groups
In Okta, click on Directory → Groups.
Click Add group.
Create user groups that align with your Checkmk contact groups and roles. You must ensure that the contact group names match exactly.
Example:Role Group: Checkmk_Admins for users who should have administrator privileges.
Contact Group: Network_Operations for users in the corresponding Checkmk contact group.
Click Save.
Add the appropriate users to each group based on their responsibilities.
Add group attribute statements in Okta
In Okta, go to Applications → select your Checkmk app.
Navigate to the Sign On tab and click Edit under the SAML Settings section. Scroll Down and click in Show legacy configuration.
Scroll down to Group Attribute Statements (optional) and click Add Group.
Fill in the fields as follows:
Name format:
URI ReferenceFilter: Select
Matches regexValue:
.*
Click Save.
This configuration allows Okta to include all group names in the SAML assertion sent to Checkmk.
Map groups to contact groups in Checkmk
In Checkmk, go to Setup > General > User Management > SAML Authentication.
Edit your Okta SAML configuration.
In the Contact groups section:
Set the dropdown to Map value to specific groups.
For Claim name, enter:
http://schemas.xmlsoap.org/claims/GroupFor each group mapping:
Enter the Okta group name (e.g.,
Network_Operations) in the Attribute match value field.Select the corresponding Checkmk contact group.
Map groups to roles in Checkmk
In the same SAML configuration screen, scroll to the Roles section.
Set the dropdown to Map roles.
For Role attribute, enter:
http://schemas.xmlsoap.org/claims/GroupFor each role:
Check the box next to the role (e.g.,
Administrator).Enter the Okta group name (e.g.,
Checkmk_Admins) in the corresponding text field.
Click Save and activate changes.
Optional for Testing Purpose Password Only Policy
Whenever you would like to setup a SAML Okta Test environment, it might be useful to setup a Password only Policy. This can be done by at Authentication Policies.
Create the policy
"Password Only" in this Case is just the Name of the Policy, it could be named anything.
Setup Access Allowed with password
Add the Application to the Policy