Okta ☁

To integrate Okta with Komodor for Single Sign-On (SSO) and role provisioning, please follow the steps outlined below. This guide includes detailed instructions for setting up Single Sign-On (SSO) and provisioning roles, along with important considerations regarding Komodor role assignment precedence.

Note: Only Okta administrators can add the Komodor application. If you are not an Okta administrator, please contact your Okta admin to have the application added.

Section 1: Adding the Komodor App Integration

  1. Navigate to Okta Admin Dashboard > Applications > Browse App CatalogScreenshot 2024-08-20 at 12.48.03.png
  2. Search for KomodorScreenshot 2024-08-20 at 12.48.45.png
  3. Select Komodor and click 'Add Integration'. Screenshot 2024-08-20 at 12.49.20.png

  4. Enter an Application label, eg 'komodor' or 'komodorio'. 

    Note: This is for internal use only and will also be the nickname for the Okta Application. okta_application_label.png

  5. Click ‘Done’ to add the application.

Section 2: Configuring the Komodor App

  1. Within the Komodor app, go to the 'Sign On' tab and click ‘Edit’ in the Settings box.Screenshot 2024-08-20 at 12.50.28.png
  2. Under ‘Advanced Sign-on Settings’, enter the Account Name provided to you by Komodor Support. This will generally be your companynameScreenshot 2024-08-20 at 12.52.50.png
  3. Change the Application username format to EmailScreenshot 2024-08-20 at 12.53.08.png
      
     
  4. Scroll up to the SAML 2.0 section and send the 'Metadata URL' to support@komodor.com to complete the SAML setup.
    Screenshot 2025-03-18 at 01.41.06.png
  5. Once Komodor Support has completed the configuration, you can begin to use Okta for SSO.

Section 3: Creating the Komodor Roles attribute

  1. Navigate to Directory -> Profile Editor
    Screenshot 2024-08-20 at 12.57.27.png
  2. Select the Komodor User profile
    Screenshot 2024-08-20 at 12.58.02.png
  3. Click the + Add Attribute button Screenshot 2024-08-20 at 13.01.39.png
  4. Enter the following details in the form:
  • Data type: string array 
  • Display name: Komodor Roles 
  • Variable name: komodorRoles
  • Attribute type: Group
  • Group priority: Combines values across groups 
    image (2).png
  1. Click Save

Section 4: Configuring SAML Attributes for Role Mapping

  1. From the Okta Admin Dashboard, navigate to to the Applications -> Applications
    Screenshot 2024-08-20 at 13.27.49.png
  2. Select the Komodor / Komodorio app komodor-app.png
  3. From the Sign on tab, click the Edit button in the Settings box 
  4. Within the the SAML 2.0 section, Click the > icon to expand the Attributes (Optional) section komodor-app-saml-edit.png

  5. Add the following attribute and save the changes:

    Name: komodorRoles

    Value: appuser.komodorRoles komodor-app-saml-settings.png

  6. Everything is now set to assign Komodor roles through Okta

Section 5: Assigning Roles to Users and Groups

A user’s Komodor role membership in Okta is determined by their Komodor app assignment type, which can be either Individual or Group:

  • Group Assignment: Users inherit any Komodor roles assigned to the Okta groups they are members of.
  • Individual Assignment: Users inherit only the Komodor roles explicitly assigned to them as individuals. They do not inherit any roles associated with their groups.

When assigning Komodor roles to individuals or groups, Okta administrators can reference roles using either the Komodor Role Name or Role ID:

  • Komodor role name, e.g., 'admin', 'viewer', 'developer'
  • Komodor role UUID, e.g., 'ecb36aec-23b4-4173-86c7-568a97ae0e68'

Important: Role names and role IDs must match exactly as they appear in Komodor -- any discrepancies will prevent role assignments from being applied correctly. 

Komodor Role UUIDs are visible in the Komodor UI on the Role Settings tab under Organization Settings → Roles and can be retrieved via Komodor’s API. 

Assigning Komodor Roles to Individuals

  1. Within the Okta Admin Dashboard, Navigate to Directory -> People
    people.png
  2. Select the user you'd like to assign roles to people-select-user.png
  3. If the Komodor / Komodorio application is not yet assigned to the Individual user:
    • Click Assign Applications people-assign-applications.png
    • Assign the Komodor / Komodorio application to the user people-assign-komodor.png
    • Add the relevant roles you'd like to assign to the user and save the changes people-assign-komodor-roles.png
  4. If the Komodor / Komodorio application is already assigned to the user:
    • Edit the Komodor / Komodorio application assignment people-edit-komodor.png
    • Make the wanted changes and click Save people-edit-assignment.png

Assigning Komodor Roles to Groups

  1. Within the Okta Admin Dashboard, Navigate to Directory -> Groups
    groups-nav.png
  2. Select the group that you'd like to assign the Komodor role to groups.png
  3. Navigate to the Applications tab groups-assign-applications.png
  4. If needed, Click the Assign Applications button to Assign the Komodor / Komodorio app to the Groupgroups-assign-app.png
  5. Specify the Komodor Role Name or UUID you wish to assign to the group and click Save groups-assign-roles.png

Editing Komodor Roles for an existing Okta Group

  1. Go the the relevant group Applications tab and edit the Komodor / Komodorio application assignment
    groups-edit-app.png
  2. Modify the assigned role IDs and save the changes group-edit-roles.png

Adding Users to Groups

  1. Within the Okta Admin Dashboard, Navigate to Directory -> Groups
    groups-nav (1).png
  2. Click the Assign People button
    assign-people.png
  3. Click the + button for each user you'd like to add to the group.
    assign-person.png
  4.  Click Done once you're finished

Changing Komodor App Assignment from Individual to Group

If a user’s Komodor App Assignment is set to Individual, they will not inherit any Komodor roles from groups they are a member of. The following steps detail how to change a user’s App Assignment from Individual to Group:

  1. Navigate to Applications -> Applications
    applications (1).png
  2. Select the Komodor application and navigate to the Assignments tab
    application-assignment.png

Note: When logging into Komodor using Okta SSO, a user's Komodor App assignment type (Individual or group) determines whether Individual or Group roles are applied to that user.

  1. To convert the assignment type from Individual to Group, click the Convert assignments button
    assignment-conversion-button.png
  2. Select the users for whom you'd like to convert the assignment, and click Convert selected (alternatively you can click the Convert all assignments button) assignment-conversion.png
  3. Going back to the previous screen, you can confirm that the assignment type for that user has changed:
    assignment-conversion-successful.png

Section 6: Handling Unrecognized SSO Users

If a user logs in to Komodor via Okta SSO and none of their Okta assigned Komodor Roles match an existing role in Komodor, by default they will not be assigned any roles. As an additional fallback measure to enhance security, we recommend that Komodor admins also configure an empty default role.

Steps to Create an Empty Default Role

  1. Create a Dummy Policy
    • Create a policy that refers to non-existent resources. For example, use a cluster name with a single space (" ").
  2. Create a Default Role:
    • Create a default role (ensure the "default" checkbox is selected) that references the dummy policy created in step 1.

  1. Delete the Dummy Policy:

    After creating the default role, delete the dummy policy, leaving the role empty. Users assigned to this default role will see no resources in the Komodor GUI unless they are granted Komodor roles individually in Okta or inherit them via Okta groups. 

 

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.