- Notifications
You must be signed in to change notification settings - Fork23
docs: add sso okta + jumpcloud configurations#340
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Open
quetzalliwrites wants to merge4 commits intomainChoose a base branch
base:main
Could not load branches
Branch not found:{{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline, and old review comments may become outdated.
Uh oh!
There was an error while loading.Please reload this page.
Open
Changes fromall commits
Commits
Show all changes
4 commits Select commitHold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Jump to
Jump to file
Failed to load files.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Diff view
Diff view
There are no files selected for viewing
Member There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. Nit: I'm not sure if these are new screenshots (or ones we provided), but I just noticed they feature |
Loading
Sorry, something went wrong.Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong.Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Member There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. Praise: Screenshot looking good! 🚀 CollaboratorAuthor There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. @lukqw it's good you like the screenshot, we are using the ones you made lol |
Loading
Sorry, something went wrong.Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong.Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Member There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. "localstack staging" again |
Loading
Sorry, something went wrong.Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong.Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Member There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. Question: this seems duplicated from the screenshot above? |
Loading
Sorry, something went wrong.Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Member There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. Question: Would it make sense to split this based on provider? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -36,6 +36,163 @@ Select **Enable IdP sign out flow** if you want your users to be logged out from | ||
|  | ||
| ## Configuring SSO with Okta | ||
| This section provides a reference configuration for setting up SAML-based SSO with **Okta**. | ||
| The steps below mirror the fields required in the LocalStack UI and can be used as a template when configuring your Okta application. | ||
| ### 1. Create a SAML 2.0 App in Okta | ||
| In your Okta Admin Dashboard, create a new application under: | ||
| > **Applications → Create App Integration → SAML 2.0** | ||
| During setup, Okta will ask for: | ||
| * **Single sign-on URL** | ||
| * **Audience URI (SP Entity ID)** | ||
| You can copy these values directly from your LocalStack SSO provider creation screen. | ||
| Example mapping: | ||
| | LocalStack name | Okta field name | | ||
| | ---------------------- | --------------------------- | | ||
| | Callback URL | Single sign-on URL | | ||
| | Identifier (Entity Id) | Audience URI (SP Entity ID) | | ||
| ### 2. Configure SAML Attribute Statements | ||
| LocalStack supports mapping the following user attributes: | ||
| * **email** | ||
| * **firstName** | ||
| * **lastName** | ||
| In Okta, add these under **Attribute Statements (optional)**: | ||
| | Name | Name format | Value | | ||
| | --------- | ----------- | ---------------- | | ||
| | email | Unspecified | `user.email` | | ||
| | firstName | Unspecified | `user.firstName` | | ||
| | lastName | Unspecified | `user.lastName` | | ||
| > **Note:** In some setups, Okta may not always populate `firstName` or `lastName` during signup. This is usually a configuration mismatch on the IdP side. Users can still manually enter these fields during signup if needed. | ||
|  | ||
|  | ||
| ### 3. Retrieve the Okta Metadata URL | ||
| Once the application is created, navigate to: | ||
| > **Applications → Sign On → SAML 2.0 → Metadata URL** | ||
| Copy this URL. | ||
|  | ||
| This URL should be used in the LocalStack UI under: | ||
| > **Metadata File → URL** | ||
| LocalStack will automatically import the SAML metadata and map the endpoints required for SSO. | ||
| ### 4. Configure LocalStack Identity Provider | ||
| In the LocalStack SSO configuration screen: | ||
| * Select **Provider type: SAML** | ||
| * Enter an **Identity provider name** (e.g., “Okta”) | ||
| * Paste the **Metadata URL** from Okta | ||
| * Fill in attribute mappings: | ||
| | Your attributes (from Okta) | LocalStack attributes | | ||
| | --------------------------- | --------------------- | | ||
| | email | Email | | ||
| | firstName | First Name | | ||
| | lastName | Last Name | | ||
| Once completed, LocalStack will display: | ||
| * **Callback URL** | ||
| * **Identifier (Entity Id)** | ||
| * **Sign Up Portal URL** | ||
| These values are used in the Okta app configuration and for distributing the signup link to end-users. | ||
|  | ||
| ### 5. Assign Users to the Okta Application | ||
| Ensure that the correct users and groups have access to the Okta SAML app. Only assigned users will be able to authenticate into LocalStack via SSO. | ||
| ## SSO for JumpCloud | ||
| This example outlines the required configuration when using **JumpCloud** as a SAML Identity Provider for LocalStack. | ||
| ### 1. Create a Custom SAML Application | ||
| In the JumpCloud Admin Portal: | ||
| 1. Go to **SSO Applications → Add New Application** | ||
| 2. Select **Custom Application** | ||
| 3. Open **Manage Single Sign-On (SSO)** and choose **Configure SSO with SAML** | ||
|  | ||
| ### 2. Map Required Fields | ||
| Copy the fields from the LocalStack SSO configuration screen into the corresponding JumpCloud fields. | ||
| | JumpCloud field | LocalStack value | | ||
| | ----------------- | ---------------------- | | ||
| | **IdP Entity ID** | Identity provider name | | ||
| | **SP Entity ID** | Identifier (Entity Id) | | ||
| | **ACS URLs** | Callback URL | | ||
| | **Login URL** | Sign Up Portal | | ||
|  | ||
| ### 3. Attribute Mapping | ||
| Add the following user attributes: | ||
| | Service Provider Attribute | JumpCloud Attribute | | ||
| | -------------------------- | ------------------- | | ||
| | email | email | | ||
| | firstname | firstname | | ||
| | lastname | lastname | | ||
| ### 4. Required Options | ||
| Ensure the following options are enabled: | ||
| * **Declare Redirect Endpoint** | ||
| * **Include Group Attribute** with the name: | ||
| ``` | ||
| memberOf | ||
| ``` | ||
|  | ||
| ### 5. Assign Users | ||
| Save the application and assign users or groups who should access LocalStack via SSO. | ||
| ## Attribute mapping | ||
CollaboratorAuthor There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. Do we still need this section,@lukqw? feels duplicate considering the new content? | ||
| These attributes can be defined to automatically map attributes of user entities in your internal IdP to user attributes in the LocalStack platform. | ||
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.