Guides

Okta

Suggest Edits

Summary

This short series of steps enables Okta admins to connect their Okta instances to Bigeye for single sign on. Upon completion, your employees will be able to login to Bigeye via Okta.

📘

Note - substitute the email domain values

Make sure to enter the same <domain> value throughout this process. The domain will be the email domain of your users such as example.com. If you have more than one domain, it is recommended to set up more than one connection inside of Bigeye.

📘

Note - your Bigeye URL may be different

If you use a Bigeye URL that is different from app.bigeye.com, please substitute your Bigeye URL while performing the steps of this configuration.


Part 1: In your Okta instance, set up a new application for Bigeye.

  1. As an Okta Administrator, in Okta, navigate to Applications.
  2. Click the Create App Integration button.
  3. Select OIDC - OpenID Connect and Web Application, then click Next.
1040

  1. In the New Web App Integration section, enter an App Integration Name, set the Bigeye logo, and set the Grant Types to Authorization Code and Refresh Token:

  2. Set https://app.bigeye.com/sso/oidcLogin/<domain> as the Sign-in redirect URI:

  3. Select an Assignment and click Save.

  4. You will now see the General section of the application. Both the Client ID and the Client secret will need to be sent to Bigeye as part of the setup.

1244
  1. To enable direct login from the Okta dashboard:
    a. In the General Settings section, click Edit.
    b. Scroll down to the Login section.
    c. Change Login initiated by to Either Okta or App.
    d. Set Application Visibility.
    e. Enter https://app.bigeye.com/sso/<domain> in the Initiate login URI field.
    f. Click Save.

Part 2: Create connection in Bigeye

  1. Go to https://app.bigeye.com/settings/single-sign-on
  2. Click New Connection
  3. Set the following values:
    1. Single sign-on provider: OpenID Connect (OIDC)
    2. Domain: your email domain (e.g. example.com). After this connection is activated, all email addresses for this email domain will be forwarded to your identity provider.
    3. Connection name: your email domain (e.g. example.com). This is an identifier used by Bigeye and your identity provider when they interact.
    4. Issuer URL: this is the URL that provides information about your OpenID Connect endpoints and which parameters are accepted. This URL should be accessible over the network that connects to Bigeye. Bigeye will append .well-known/openid-configuration to the URL you provide.
    5. Client ID and Client Secret as configured by your identity provider
    6. If you wish to use API keys with SSO users, make sure to add offline_access to the list of Scopes
  4. Click Save

Once the connection is saved, all logins for the domain specified will be validated by your identity provider. We highly recommend doing the following to verify your connection:

  1. Log in inside of another browser to verify that you can log in. If you are not able to log in, you may delete the Single Sign-on Connection inside of Bigeye to prevent other users from being locked out.
  2. Verify in your identity provider that the correct users are added to the applicable membership groups for Bigeye.
Configuration dialog for a new single sign-on connection

Configuration dialog for a new single sign-on connection

Updated 3 months ago

What’s Next