Okta SSO Configuration

Okta SSO Configuration

Praetorian Guard Platform Single Sign-On (SSO) with Okta

Praetorian Guard Platform (PGP) supports Single Sign-On through Okta integration. This guide will walk you through the setup process, which involves verifying your domain ownership, creating an Okta application, and configuring the integration in PGP. You'll need three key pieces of information to complete the setup:

  • Client ID

  • Client Secret

  • Issuer URL

Domain Verification

The first step is to verify ownership of your domain by adding a DNS TXT record. Access your domain's DNS settings or management interface where you'll need to add a TXT record. The record should follow the format "chariot=<verification-id>", where <verification-id> is the unique verification ID assigned to your account. You can find this value in the SSO setup dialog on the Organization Settings tab on the Settings page, where it is available to copy and paste.

At your DNS management interface, set the text record for your root domain. For example, if your domain is YourDomain.com and your record is set at the root level (@), you would add a TXT record with the value shown in the SSO setup dialog. Within the PGP setup pop-up, you can copy and paste this value.

Once set, your DNS TXT record might look something like this:

YourDomain.com

Record type:

value:

@

TXT

"chariot=550e8400-e29b-41d4-a716-446655440000"

To verify that your record has been published, you can run the command dig +short TXT YourDomain.com if on a Mac or nslookup -type=TXT YourDomain.com if using Windows, and look for your record in the output.

Creating and Configuring the Okta Application

Begin by logging into your Okta admin dashboard at login.okta.com. Navigate to the Applications section and create a new app integration. When configuring the application, select "OIDC - OpenID Connect" as your sign-in method and "Web Application" as your application type.

Click Next at the bottom.

Name your application "PGP" and configure the redirect URIs. The sign-in redirect URI should be set to https://praetorian-chariot.auth.us-east-2.amazoncognito.com/oauth2/idpresponse, and the sign-out redirect URI should be https://guard.praetorian.com/login. Remember to configure access for any users who will need to access PGP via SSO - this can be done under Assignments.

Optional Okta Tile Configuration

You may want to configure the PGP Okta tile for easier access. In your application's General Settings, configure the login settings to allow initiation from either Okta or the app, enable the application icon display for users, and set the login flow to redirect to the app. Set the initiate login URI to https://guard.praetorian.com/login.

Here's the step-by-step:

  1. Under General > General Settings click the Edit link.

  2. Under General > Login update the following settings:

  • Login initiated by - Either Okta or App.

  • Application visibility - ensure that “Display application icon to users” is enabled.

  • Login flow - choose “Redirect to app to initiate login (OIDC Compliant)”.

  • Initiate login URI - set to “https://guard.praetorian.com/login”.

  1. Hit “Save” to confirm your configuration changes.

Integrating with PGP

To complete the integration, log in to PGP using your existing credentials at https://guard.praetorian.com/login. Click Settings on the bottom left menu then the Organization Settings tab near the top of the page. From there, you can begin the SSO setup process by pressing +Add Provider.

You'll need to provide several pieces of information: your email domain (such as "praetorian.com"), the Client ID and Client Secret (found in your Okta application's Client Credentials section), and your Issuer URL (your Okta login base URL, like "https://companyname.okta.com"). You can find the Client ID and Client Secret here:

Fill out the pop-up with the appropriate information:

Once you have filled in all of the fields, hit Integrate. Your users should now be able to log in to PGP using Okta as their identity provider.

User Provisioning and Role Assignment

Once SSO is configured, all users are managed through your Okta instance. New users do not need to be provisioned in PGP ahead of time — an account is created automatically the first time an Okta user signs in.

During SSO setup, choose how roles are assigned to those users:

  • Default role — Every SSO user is granted the same role on first sign-in. After sign-in, the role for an individual user can be adjusted under Settings > User Management.

  • Role claim — Map an Okta role claim to PGP's three roles: Read Only, Analyst, and Admin. When a user is provisioned in Okta with one of those roles, they inherit the corresponding role in PGP on sign-in.

Post-Setup Information

Once the setup is complete, users can access PGP through the Sign in with SSO portal on the login page.

It's worth noting that you can remove the DNS TXT record after completing the SSO setup. However, if you need to make any changes to the SSO configuration, such as rotating secrets, you'll need to temporarily re-add the TXT record during the configuration process.

If you encounter any difficulties during setup or need assistance with SSO, reach out to support@praetorian.com for help.

By following these steps, you'll establish a secure and convenient SSO connection between your Okta instance and PGP, allowing for streamlined access management and improved user experience.