Okta SAML Setup#

This page provides instructions for setting up Okta’s SAML authentication provider with Squirro.

How to Set Up the Application in Okta#

  1. Log in to the Okta developer console

  2. Switch the view to Classic UI

  3. Click Applications

  4. Click Create New App

  5. Set Platform to Web

  6. Set Sign on method to SAML 2.0

  7. Click Next

  8. Enter a name.

  9. Set the Single Sign On URL to https://SQUIRRO/sso/callback (URL of your Squirro installation plus the path /sso/callback)

  10. Set the Entity ID as https://sso.squirro.com/o/saml2/entity

  11. Set the application username to Email

  12. Leave other settings as is

  13. Finish the setup and under the Sign On tab, select View Setup Instructions for SAML 2.0

  14. Click on Download certificate

  15. Copy the IDP Metadata to a file on your machine

  16. On the Assignments tab, add the people or groups who should have access to Squirro

Configuring SAML Metadata#

To configure SAML Single Sign-On with the federation metadata file, follow the steps below:

  1. Open your Squirro project.

  2. Go to the Server space.

  3. Select Single Sign-On (SAML) in the left navigation menu.

  4. Click the orange plus icon to create a new SSO.

  5. Fill out the form, including the following information:

  • Domain: *

  • Enabled: Check

  • Metadata file: upload the IDP Metadata file downloaded earlier

  • Certificate: upload the certificate file downloaded earlier

  • User group: Select a user group to be assigned to all SSO users

Squirro SAML SSO page

Enabling SSO#

For security reasons, the final configuration needs to be done directly on the server.

Log in to the server using SSH or a similar means and edit the file /etc/squirro/frontend.ini. Then append the following lines at the end:

sso_enabled = true
sso_endpoint = http://localhost:81/studio/extauth_saml/extauth

Reducing HTTP Session#

By default Squirro will keep user sessions for 30 days, surviving browser restarts as well. In a Single Sign-On environment, this should be changed to expire sessions more aggressively. See Reducing Session Lifetime for information.