Okta SAML Identity Provider Configuration
Overview
This page tells you how to set up the Datadog application in Okta.
Before proceeding, make sure that you are using the latest version of the Datadog application:
- In Okta, click Applications.
- Open the Datadog application.
- Select the General tab.
- Look for a field labeled SSO Base URL.
If you don’t see the SSO Base URL field, configure Okta using the legacy instructions.
Supported features
The Datadog Okta SAML integration supports the following:
- IdP-initiated SSO
- SP-initiated SSO
- JIT provisioning
For definitions of the terms above, see the Okta glossary.
Setup
Set up Okta as the SAML identity provider (IdP) for Datadog with the following instructions. The setup process requires you to alternate between your Okta and Datadog accounts.
In Okta
- Log in to your Okta admin dashboard.
- In the left navigation, click Applications.
- Click Browse App Catalog.
- Use the search bar to search for “Datadog”.
- Select the Datadog app for SAML and SCIM.
- Click Add Integration. The General Settings dialog appears.
- Populate the SSO Base URL field with your Datadog website URL.
- Click Done.
Note: The SSO Base URL field accepts custom subdomains if you are not using a standard Datadog website URL.
Next, download the metadata details to upload to Datadog:
- While in the settings dialog for the Datadog application in Okta, click the Sign on tab.
- Scroll down until you see the Metadata URL.
- Click Copy.
- Open a new browser tab and paste the metadata URL into the address bar.
- Use your browser to save the content of the metadata URL as an XML file.
In Datadog
- Navigate to Login Methods under Organization Settings.
- In the SAML component, click Configure or Update, depending on whether you have previously configured SAML. The SAML configuration page appears.
- Click Choose File, and select the metadata file you previously downloaded from Okta.
Activate IdP initiated login
For the Datadog application to function correctly, you must activate IdP initiated login.
After you activate IdP initiated login, users can log in to Datadog from Okta
To activate IdP initiated login, execute the following steps:
- Navigate to the SAML configuration page.
- Under Additional Features, click the checkbox for Identity Provider (IdP) Initiated Login. The component displays the Assertion Consumer Service URL.
- The content in the Assertion Consumer Service URL after
/saml/assertion
is your company ID. Take note of this company ID, as you need to enter it in Okta to finalize your configuration. - Click Save Changes.
Return to Okta for the next set of configuration steps.
In Okta
- Return to the Okta admin dashboard.
- Select the Sign on tab.
- Click Edit.
- Scroll down to the Advanced Sign-on Settings section.
- Paste your company ID into the Company ID field. Your company ID should have the format
/id/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxx
. - Click Save.
Service Provider (SP) initiated login
To log in to Datadog using service provider-initiated login (SP-initiated SSO), you need the single sign-on (SSO) URL. You can find your SSO URL in two ways: on the SAML configuration page, or through email.
SAML configuration page
The Datadog SAML configuration page displays the SSO URL next to the Single Sign-on URL heading.
Email
- Navigate to the Datadog website URL for your organization.
- Select Using Single Sign-On?.
- Enter your email address, and click Next.
- Check your email for a message containing the SSO URL, listed as Login URL.
After you find your SSO URL from either method, bookmark it for future reference.
SAML role mapping
Follow the steps below to map Okta attributes to Datadog entities. This step is optional.
- Navigate to the Okta admin dashboard.
- Select the Sign on tab.
- Populate the Attributes with your group attribute statements.
- Set up your desired mappings in Datadog.
Further Reading
Additional helpful documentation, links, and articles: