Introduction

Learn how to configure SSO/SAML using Okta and CloudCannon.

We know that configuring SSO/SAML can be difficult. Every provider uses different names, finding the right information can be confusing, and it often requires you to go back and forth between software. Don't worry! In this guide, we'll walk you through adding Okta SSO to your CloudCannon Organization.

Okta is a cloud-based identity and access management (IAM) service that allows you to manage how your team members access the software they need.

This guide assumes that:

  • You want to use Okta as your SSO Identity Provider.
  • You already have Okta and CloudCannon accounts.
  • Your Organization is on our Enterprise plan.
  • You are a member of the Owner Permission Group for your Organization.

What is SSO/SAML?#

People often use the acronyms SSO and SAML in conjunction. Single Sign-On (SSO) refers to the process that allows a user to access multiple applications with a single set of login credentials. Security Assertion Markup Language (SAML) is the protocol that facilitates SSO, enabling the secure exchange of user information between the Identity Provider and Service Provider applications.

Here are a few terms you should know:

  • User — The team member who wants to access CloudCannon.
  • Identity Provider — The software that authenticates the user's identity, in this case, Okta. Members of your Organization must have a login for this software.
  • Service Provider — The application a user wants to log in to (i.e., CloudCannon).

CloudCannon supports SSO for Organizations on our Enterprise plan. With Okta SSO enabled, your team members will provide their Okta login details rather than logging in to CloudCannon directly. Additionally, your team members do not need to enter their CloudCannon password while logged in to Okta.

After configuring SSO/SAML, CloudCannon will create a custom landing page for your Organization. Team members can click a button, and CloudCannon will confirm their identity with Okta or redirect them to the Okta login page.

Why use SSO/SAML?#

When you have a larger team, managing their access to various software can be tricky. SSO enables you to:

  • Reduce the number of password resets due to forgotten passwords.
  • Improve the user experience with seamless access to many applications.
  • Revoke access in a single location and know you have removed access to multiple applications.

SSO is also required for some security and compliance policies, as it reduces password-related vulnerabilities and puts authentication in the hands of a single Identity Provider rather than many applications.

How does SSO/SAML work?#

The main points of confusion when setting up SSO/SAML between an Identity Provider (e.g., Okta) and a Service Provider (e.g., CloudCannon) are the conflicting terminology used by different software and the back-and-forth nature of the configuration process.

To make it easier, here's a list of the main concepts. In the later steps of this guide, we'll teach you how to find this information in Okta or CloudCannon.

There are three types of URLs we need for SSO configuration.

  • Entity ID — This is the intended recipient for your SAML assertion: CloudCannon! CloudCannon publishes public information about its SAML configuration on this URL, including the public certificate. The URL must start with https://cloudcannon.com/. Entity ID is also known as the Audience URI, Service Provider Entity ID, or Issuer.
  • Single sign-on (SSO) URL — The Service Provider (i.e., CloudCannon) address to which the Identity Provider (i.e., Okta) will redirect users after they enter their login details. SSO URL is also known as the Assertion Consumer Service URL, Reply URL, or Consume URL.
  • SAML 2.0 Endpoint (HTTP) — The Okta URL to which CloudCannon will redirect users when they try to log in to CloudCannon.

Additionally, CloudCannon requires the following details to generate a SAML request.

  • Name ID Format — This determines how the Identity Provider (Okta) identifies a user to the Service Provider (CloudCannon).
  • Authn Context — This determines how the Service Provider (CloudCannon) expects the Identity Provider (Okta) to authenticate the user.
  • Signing Algorithm — Select the SHA1 or SHA256 algorithm to encrypt your data. SHA1 uses a 160-bit long key to encrypt data, while SHA256 uses a 256-bit long key.
  • X.509 Certificate — This determines the format, structure, and content of the public key certificate.

In general, the Single Sign-On process uses the following steps:

  1. The user tries to log in to CloudCannon.
  2. CloudCannon generates a SAML request.
  3. The user's Internet browser redirects them to the SAML 2.0 Endpoint (i.e., Okta), where Okta parses the SAML request.
  4. Okta authenticates the user by asking them to enter their Okta username and password. If the user is already logged in to Okta, then it skips this step.
  5. The Identity Provider (Okta) generates a SAML response.
  6. The user's Internet browser redirects them to the SSO URL (i.e., CloudCannon), where CloudCannon validates the SAML response.
  7. If the verification is successful, CloudCannon logs the user in and gives them access to your Organization.

If you need any assistance setting up SSO/SAML for you Organization, please reach out to our friendly support team.

In the next step of this guide, we will cover where to find SSO configuration in CloudCannon and Okta and how to add CloudCannon to Okta as an app integration.

Next
Create an Okta App Integration
Learn how to add CloudCannon to Okta as an app integration.

Open in a new tab