Okta SAML Identity Provider Configuration

In the site, you must manually configure the Datadog application in Okta using the legacy instructions. Ignore the instructions on this page about the preconfigured Datadog application in the Okta application catalog.

Overview

This page tells you how to set up the Datadog application in Okta.

Before proceeding, make sure that you are using the latest version of the Datadog application:

  1. In Okta, click Applications.
  2. Open the Datadog application.
  3. Select the General tab.
  4. Look for a field labeled SSO Base URL.
Datadog application configuration in Okta, highlighting the SSO base URL

If you don’t see the SSO Base URL field, configure Okta using the legacy instructions.

Supported features

The Datadog Okta SAML integration supports the following:

  • IdP-initiated SSO
  • SP-initiated SSO
  • JIT provisioning

For definitions of the terms above, see the Okta glossary.

Setup

Set up Okta as the SAML identity provider (IdP) for Datadog with the following instructions. The setup process requires you to alternate between your Okta and Datadog accounts.

In Okta

  1. Log in to your Okta admin dashboard.
  2. In the left navigation, click Applications.
  3. Click Browse App Catalog.
  4. Use the search bar to search for “Datadog”.
  5. Select the Datadog app for SAML and SCIM.
  6. Click Add Integration. The General Settings dialog appears.
  7. Populate the SSO Base URL field with your Datadog website URL.
  8. Click Done.

Note: The SSO Base URL field accepts custom subdomains if you are not using a standard Datadog website URL.

Next, download the metadata details to upload to Datadog:

  1. While in the settings dialog for the Datadog application in Okta, click the Sign on tab.
  2. Scroll down until you see the Metadata URL.
  3. Click Copy.
  4. Open a new browser tab and paste the metadata URL into the address bar.
  5. Use your browser to save the content of the metadata URL as an XML file.
Sign on configuration in Okta

In Datadog

Upload metadata details

  1. Navigate to Login Methods under Organization Settings.
  2. In the SAML component, click Configure or Update, depending on whether you have previously configured SAML. The SAML configuration page appears.
  3. Click Choose File, and select the metadata file you previously downloaded from Okta.
SAML configuration in Datadog, highlighting metadata upload button

Activate IdP initiated login

For the Datadog application to function correctly, you must activate IdP initiated login.

After you activate IdP initiated login, users can log in to Datadog from Okta

To activate IdP initiated login, execute the following steps:

  1. Navigate to the SAML configuration page.
  2. Under Additional Features, click the checkbox for Identity Provider (IdP) Initiated Login. The component displays the Assertion Consumer Service URL.
  3. The content in the Assertion Consumer Service URL after /saml/assertion is your company ID. Take note of this company ID, as you need to enter it in Okta to finalize your configuration.
  4. Click Save Changes.
SAML configuration in Datadog, highlighting the company ID portion of the assertion consumer service URL

Return to Okta for the next set of configuration steps.

In Okta

  1. Return to the Okta admin dashboard.
  2. Select the Sign on tab.
  3. Click Edit.
  4. Scroll down to the Advanced Sign-on Settings section.
  5. Paste your company ID into the Company ID field. Your company ID should have the format /id/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxx.
  6. Click Save.

Service Provider (SP) initiated login

To log in to Datadog using service provider-initiated login (SP-initiated SSO), you need the single sign-on (SSO) URL. You can find your SSO URL in two ways: on the SAML configuration page, or through email.

SAML configuration page

The Datadog SAML configuration page displays the SSO URL next to the Single Sign-on URL heading.

Email

  1. Navigate to the Datadog website URL for your organization.
  2. Select Using Single Sign-On?.
  3. Enter your email address, and click Next.
  4. Check your email for a message containing the SSO URL, listed as Login URL.

After you find your SSO URL from either method, bookmark it for future reference.

SAML role mapping

Follow the steps below to map Okta attributes to Datadog entities. This step is optional.

  1. Navigate to the Okta admin dashboard.
  2. Select the Sign on tab.
  3. Click Edit.
  4. Populate the Attributes with your group attribute statements.
  5. Set up your desired mappings in Datadog.

Further Reading