SSO support makes it easy to manage your accounts and works with the most popular identity providers. Let’s walk through how this integration works with Okta. We borrowed the following instructions from the Okta help site to help you get started.

Configuring Okta with SAML 2.0
    1. Login to your Spotinst account as an administrator.
    2. In the console, choose Settings.
    3. Click the Security tab and select Identity Providers.
      spotinst-okta-sso
    4. Make a copy of the Relay State value.
    5. Go to your Okta dashboard and add the Spotinst app to your account:
      Spotinst-okta-dashboard
    6. In Okta, go to the admin panel and edit the new Spotinst app you just added.
      There, select the Sign On tab, then click Edit.

        • Enter the Relay State value you copied earlier into the Default Relay State field.
        • Ensure that the Application Username Format is Email.
        • Click Save.
      • Download the metadata document by clicking on ‘Identity Provider metadata‘ link:

      okta-identity-provider-metadata

    7. Go back to the Spotinst console to the Security tab providers (as shown in Figure 1), click BROWSE and upload the metadata.xml file you have just downloaded.
    8. Click SUBMIT.
    9. Login back into Spotinst via your Okta account!Configure User Role 
    10. Now that we have verified that the integration is working, let’s add an additional attribute in Okta in order to support permissions by account.
    11. Browse back to the Okta Admin panel, click on “Directory” and then on “Profile Editor”
    12. Select “Profile” in order to edit the Okta user account.
    13. Click on “Add Attribute”
    14. From the “Data Type” drop-down list, select “String Array”
    15. In the pop-up screen, fill the fields as follow:

      1. Display Name = Account and Role
      2. Variable Name = AccAndRole
      3. Description = Set User’s permission per account
      4. Select the checkbox “Define enumerated list of Values”
      5. Attribute Members:
        1. Display Name = act-xxxxxx-VIEWER (This can be in any format as it’s just for display)
        2. Value = SPOTINST-act-xxxxxx-VIEWER (This must be in this format)
          Note: You must fill in all the users whom are going to use the Spotinst platform.

    16. Click on “Save Attribute”
    17. On the top menu, browse to “applications”
    18. Select the “Spotinst” application and browse to the “Sign-on” tab
    19. Click on “Edit”
    20. Collapse the “Attributes (Optional)”
    21. Fill in the attribute as shown in the figure above and then Save.
    22. From the top menu, browse to “Directory” and then “People”
    23. Search for the user in which you would like to assign this role and then select it.
    24. Go to “Profile”  and then select “Edit”
    25. Mark the roles in which you would like to assign to the user and then click “Save”
    26. All set!

Notes: IDP-initiated flows, SP-initiated flows, and Just In Time (JIT) provisioning are all supported.

For SP-initiated Flows:
  1. Go to https://console.spotinst.com/#/auth/signIn.
  2. Type your email address and click outside the form.
  3. Click SIGN IN WITH SSO