This article applies as of PRTG 22.x.76
| Important notice: The following article only applies to PRTG Network Monitor. It does not apply to PRTG Hosted Monitor. |
How to integrate Okta SSO into PRTG
As of PRTG 22.x.76, you can use Okta as single sign-on (SSO) provider in PRTG. For the integration to work seamlessly, follow the steps in this article.
Requirements
- PRTG as of version 22.x.76
- The optional Okta add-on API Access Management.
Configuration steps to take:
- Step 1: Configure Okta
- Step 2: Configure SSO in PRTG
- Step 3: Add a user group in PRTG
Step 1: Configure Okta
Follow these steps to configure Okta to work as SSO provider in PRTG.
- Optional steps
- Add persons (optional)
- Add groups (optional)
- Step 1.1: Add an authorization server
- Step 1.2: Create an app integration
Optional steps
Add persons (optional)
Follow the steps below to add or import persons that should have access via SSO.
- Log in to the Okta administrator console under https://${yourOktaDomain}/admin/dashboard.
- Go to Directory | People.
- Choose between Add person to add persons manually and Import users from CSV to import persons from a .csv file.
- If you want to manually add users, see Add users manually | Okta.
- If you want to use a .csv file to import users, see Import users from a CSV file | Okta.
- After you have successfully added the user accounts, make sure to activate them. For more information, see Activate user accounts | Okta.
For more information, see Manage users | Okta.
Add a group (optional)
Follow the steps below to add a group.
Notes:
- Add this group to the claim in step 1.1, allow it to access the application that you create in step 1.2, and add its name as SSO Group Claim in step 3 to only allow persons in this group to access your PRTG installation.
- By default, Okta creates the group Everyone that includes every person that is created on Okta. You can use Everyone as SSO Group Claim in step 3 if you want to allow all persons to access your PRTG installation.
- Log in to the Okta administrator console under https://${yourOktaDomain}/admin/dashboard.
- Go to Directory | Groups and click Add Group.
- Enter a name for your group, for example My_Group.
- Click Save.
- Click Assign People.
- Add the members that should be in the newly created group.
- Click Save.
For more information, see Manage groups | Okta.
Step 1.1: Add an authorization server configuration
Note: When setting the Step 1.1: Add an authorization server configuration, when doing the Add Claim part, the Name section had to be all in lowercase - "groups". Otherwise if it was "Groups" as it is in the screenshot it would fail with errors.
- Log in to the Okta administrator console under https://${yourOktaDomain}/admin/dashboard.
- Go to Security | API and click Add Authorization Server.
- Enter a Name, for example default, and an Audience.
- Click Save.
- Select the authorization server that you have created and navigate to tab Claims.
- Click Add Claim and enter the following values:
- Name: Enter a name, for example groups.
Note: The name must be in lowercase for the login with SSO to work properly. - Include in token type: ID Tokens – Always
- Value type: Groups
- Filter: Define a filter that defines which groups will be added to the claim of the token for this authorization server.
Note: Select Matches regex and enter .* to add all available groups to the claim.
Note: If you want to limit the groups, define the conditions to only add specific groups to the claim of the token. For example, select Equals and enter My_Group to add the group that you created during the optional step above to the claim of the token.
- Disable claim: Deselected
- Include in: Any scope
- Click Create.
For more information, see Build Custom Authorization Servers for API Access Management | Okta.
Step 1.2: Create an app integration
- Go to Applications | Applications and click Create App Integration.
- Select the following settings in the window that opens:
- Sign-in method: OIDC – OpenID Connect
- Application type: Web Application
- Click Next.
- On the New Web App Integration tab, enter the following:
- Enter an App integration name, for example My Web Application.
- For Grant type, select Authorization Code and Refresh Token.
- For Sign-in redirect URIs, enter the IP addresses and DNS names of the PRTG installation(s) that your users use to connect to PRTG. For example, https://myprtg.domain.com:443/cb.
Note: You can also skip this step for now and add the URLs in step 2 two when you configure SSO in PRTG. - For Controlled access, select Allow everyone in your organization to access.
Note: If you select Limit access to selected groups, enter the name of the group(s) that you want to grant access. For example, add My_Group to allow the persons in the group that you created during the optional step above to access the app integration.
- Click Save.
Step 2: Configure SSO in PRTG
Now that you have configured Okta, you now need to configure the SSO settings in PRTG accordingly. To do so, follow these steps.
- Log in to the PRTG web interface.
- Go to Setup | System Administration | Single Sign-On.
- Under SSO Login, select Enable.
- Under Provider, select Okta from the dropdown list.
- Under Configuration Endpoint, enter the configuration endpoint URL as follows https://${yourOktaDomain}/oauth2/${authorizationServerId}/.well-known/oauth-authorization-server
Note: Make sure to enter the Metadata URI that you can find under Security | API | <Your Authorization Server> in the Okta administrator console. - Click Load Configuration. This automatically fills in the values in the next four fields.
Note: If this does not work, you must manually enter the values instead as follows. Also, make sure to replace ${yourOktaDomain} with the Okta domain of your application from the Okta administrator console and ${authorizationServerId}with your authorization server ID.- Authorization Endpoint: https://${yourOktaDomain}/oauth2/${authorizationServerId}/v1/authorize
- Token Endpoint: https://${yourOktaDomain}/oauth2/${authorizationServerId}/v1/token
- JSON Web Key Set (JWKS) URI: https://${yourOktaDomain}/oauth2/${authorizationServerId}/v1/keys
- Issuer: https://${yourOktaDomain}/oauth2/${authorizationServerId}
- Under Scope, enter openid offline_access email profile. The required scopes are added by default after you add your authorization server. You can find the scopes of your authorization server under Security | API | <Your Authorization Server> in the Okta administrator console.
- Under Application (Client) ID, enter the Client ID that you can find under Applications | Applications | <Your Application>.
- Under Client Secret, enter the client secret that you can also find under Applications | Applications | <Your Application>.
- Under Available Callback URLs, select the URLs that your users will use to log in to PRTG.
Here is an example what the URLs should look like: https://myprtg.domain.com:443/cb. You will need to add these to the Sign-in redirect URIs under Applications | Applications | <Your Application> in section Login in the Okta administrator console. - If the URL your users use to log in to PRTG is not listed because PRTG is reachable via a different URL (for example, myPRTG.example.com for login but PRTG lists myPRTG.internal.example.com), you can use the option Manually enter a URL. PRTG still lists all available endpoints if needed for forwarding. You then need to add the URL to the Sign-in redirect URIs under Applications | Applications | <Your Application> in section Login in the Okta administrator console.
Note: Okta and PRTG both check if the callback URLs are allowed. Make sure you configure each required URL on both ends; otherwise, you will not be able to log in. - Click Test Single Sign-On Authorization Endpoint and wait for the success message.
Note: Make sure that you have opened the PRTG installation for which you want to test the single sign-on authorization endpoint via a URL that you have configured as a valid redirection URI in the Okta administrator console.
- Click Save.
You have now configured SSO in PRTG.
Step 3: Add a user group in PRTG
Now that you have configured SSO, you need to add a new user group in PRTG.
| Note: A local user account for an SSO user is only created if this SSO user has successfully logged in to PRTG. |
- Log in to the PRTG web interface.
- Go to Setup | System Administration | User Groups.
- Hover over the blue (+) button and select Add User Group.
- Under User Group Name, enter a name to identify the group, for example Okta SSO User Group.
- Under Active Directory or Single Sign-On Integration, select Use single sign-on integration.
- Under SSO Group Claim, enter the access claim for the SSO group. Enter the name of the group that you want to grant access to your PRTG installation, for example My_Group.
- Click Create.
You have now successfully integrated Okta as SSO provider in PRTG.
