LightBeam Okta SAML Configuration Guide
Last updated
Last updated
LightBeam supports SAML protocol for authentication purposes.
This document explains the flow for Okta with SAML configuration.
Configure SMTP relay from LightBeam > Settings > SMTP before configuring Okta as Auth Provider.
Log in to the Okta portal using admin or super admin credentials which has permission to create a new application.
Click on Applications from the left tab. You will see a popup like that shown in Fig. 1
Select SAML 2.0 and click on Next.
Provide the App Name and click on Next, as shown in Fig. 2.
In the field “Single sign-on URL” change the LIGHTBEAM_ENDPOINT with the actual endpoint and copy the same URL for Audience URI as shown in Fig 3.
The URL will look similar to: http://<LIGHTBEAM_ENDPOINT>/auth/realms/master/broker/Okta/endpoint
Once it has been added to both the places, click on Next.
Select the first option i.e. “I’m an Okta customer adding an internal app” (as shown in Fig. 4) and also enable the App Type as Internal App shown in the screenshot below and then click on Finish.
After completing these steps, you will have created an application and be prepared to assign users to it.
Click on "Sign On".
Scroll down to the SAML signing certificate section.
Click on the active SHA (either SHA-1 or SHA-2, whichever is active) and select "Actions."
Then, click on "View Idp metadata" to open another tab.
To grant access to Okta users, you can assign them to this app individually or create a group with selected users and assign it.
Refer to the screenshots below (Fig. 6 - Fig. 6.4) for instructions on how to assign a group of users to this app.
With this process, all the users mentioned above and available in this app will be able to access the LightBeam app once Okta is configured in the LightBeam app.
To access the Auth provider page in the LightBeam app, log in, and click on the top-right gearbox (Fig. 7).
Click on Add Auth Provider.
Select Okta from the drop-down list .
Select SAML protocol (Fig. 10).
Provide the IdP metadata URL copied above.
Click on Save. Once the Service URL https://<DOMAIN>/app/<TOKEN>/sso/saml/metadata is added, click on Save.
Log into your organization's Okta dashboard. This would be through a URL like https://<your-organization>.okta.com
Within the Okta dashboard, find the Applications section in the left navigation panel. Click on it.
Click on Create App Integration.
Select SAML 2.0 and click Next.
Under General Settings:
Fill in the app name as "Lightbeam-SAML".
Upload an app logo (optional).
Under App Visibility, opt to not display the application icon to users and in the Okta mobile app.
Click on Next.
In Configure SAML:
Click on Next.
In Feedback:
Select 'I am an Okta customer adding an internal app' and 'This is an internal app that we have created'.
Finalize the setup by clicking 'Finish'.
Acquiring Service URL:
Scroll to 'SAML Signing Certificates'.
For 'Certificate Type SHA-2', click 'Actions' > 'View IDP Metadata'.
Copy the URL from the new tab and insert it into the 'Service URL' field during#2.0-configure-auth-provider-in-lightbeam workflow.
Accessing the App Catalog:
Navigate to 'Applications' in Okta and browse the 'App Catalog'.
Search for 'Bookmark App' and select it.
Click on Add the integration.
Under 'General Settings', set Application label as 'Lightbeam-Privacy' and input the LIGHTBEAM_ENDPOINT from the URL, which will look similar to:
https://<LIGHTBEAM_ENDPOINT>
Confirm with 'Done'.
Updating App Details:
In the 'Lightbeam Privacy' page, edit the bookmark logo by clicking the pencil icon next to the app name. Upload your preferred logo.
Assign the app to desired members. Navigate to 'Assign' > 'Assign to People' and select the members. Confirm with 'Save And Go Back'.
Accessing the App:
In Okta, click on 'My Apps'. You'll find the recently created 'Lightbeam Privacy' app.
Upon selecting the app, it will redirect you to the LightBeam instance.
Troubleshooting Access Issues:
If faced with an error like "Okta 403 - App not assigned", it means the app isn't assigned in Okta.
To resolve, return to Okta and navigate to 'Applications' > 'Lightbeam SAML' > 'General'.
Use the 'Assign' function to grant access to the necessary members.
Once completed, retry accessing the 'Lightbeam SAML' app through 'My Apps'. You should be able to successfully log in using Okta.
Finalizing User Information:
Upon logging in, you can edit user details like username, email, first and last name.
Submit the updated information.
After configuring Okta in the LightBeam app, log out by clicking on the top-right icon. This action will display the login screen as shown below.
On the login screen (Fig. 10), you will now see a "Login with Okta" option.
When you click on Okta, it will redirect you to the Okta login page where users need to provide their credentials.
Once you have successfully logged in, the LightBeam Dashboard will be displayed.
On the user management screen, you will find a list of users along with their respective roles.
As Okta users begin to log in to the LightBeam app, all the successfully logged-in users will be listed on the user management page as depicted in Fig. 12 above.
LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.
Follow the Okta documentation onSingle sign-on URL to get the field details and copy the same to Audience URI.
For any questions or suggestions, please get in touch with us at: .
