What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

How to integrate Okta SSO into PRTG?

Votes:

0

Your Vote:

Up

Down

I want to use Okta as SSO provider to authenticate users in PRTG. How can I do this? What configuration steps are necessary?

okta prtg single-sign-on sso

Created on Mar 25, 2022 1:03:28 PM by  Florian Weik [Paessler Support]

Last change on Apr 5, 2022 11:13:29 AM by  Florian Weik [Paessler Support]



3 Replies

Accepted Answer

Votes:

0

Your Vote:

Up

Down

This article applies as of PRTG 22.x.76


Important: The following article only applies to PRTG Network Monitor. It does not apply to PRTG Hosted Monitor.

How to integrate Okta SSO into PRTG

As of PRTG 22.x.76, you can use Okta as single sign-on (SSO) provider in PRTG. For the integration to work seamlessly, follow the steps in this article.


Requirements


Configuration steps to take:

  • Step 1: Configure Okta
  • Step 2: Configure SSO in PRTG
  • Step 3: Add a user group in PRTG

Step 1: Configure Okta

Follow these steps to configure Okta to work as SSO provider in PRTG.

  • Step 1.1: Add an authorization server
  • Step 1.2: Add persons (optional)
  • Step 1.3: Add a group (optional)
  • Step 1.4: Create an app integration

Step 1.1: Add an authorization server configuration

  • Log in to the Okta administrator console under https://${yourOktaDomain}/admin/dashboard.
  • Go to Security | API and click Add Authorization Server.
    Add Authorization Server
    Click to enlarge
  • Enter a Name, for example default, and an Audience, for example api:default.
    Add Authorization Server
    Click to enlarge
  • Click Save.
  • Select the authorization server that you have created and navigate to tab Claims.
  • Click Add Claim and enter the following values:
  • Name: Enter a name, for example Groups.
  • Include in token type: ID Tokens – Always
  • Value type: Groups
  • Filter: Define a filter to include the groups.
    Note: The filter defines which groups will be added to the claims of the tokens for this authorization server. Enter .* to add all available groups to the claims. Make sure that you enter at least one group, for example the group that you add in step 1.3.
  • Disable claim: Deselected
  • Include in: Any scope
    Add Authorization Server
    Click to enlarge
  • Click Create.

For more information, see Build Custom Authorization Servers for API Access Management | Okta.


Step 1.2: Add persons (optional)

Follow the steps below to add or import persons that should have access via SSO.

For more information, see Manage users | Okta.


Step 1.3: Add a group (optional)

Follow the steps below to add a group that the application that you create in step 1.4 uses.

For more information, see Manage groups | Okta.


Step 1.4: Create an app integration

  • Go to Applications | Applications and click Create App Integration.
    Create App IntegrationClick to enlarge.
  • Select the following settings in the window that opens:
    • Sign-in method: OIDC – OpenID Connect
    • Application type: Web Application
      Web App Integration
      Click to enlarge
  • Click Next.
  • On the New Web App Integration tab, enter the following:
    • Enter an App integration name, for example My Web Application.
    • For Grant type, select Authorization Code and Refresh Token.
    • For Sign-in redirect URIs, enter the IP addresses and DNS names of the PRTG installation(s) that your users use to connect to PRTG. For example, https://myprtg.domain.com:443/cb.
      Note: You can also skip this step for now and add the URLs in step 2 two when you configure SSO in PRTG.
    • For Controlled access, select if you want to limit access.
      Note: If you select Limit access to selected groups, enter the name of the group(s) that you want to grant access, for example the group that you have created in step 1.3.
      Create App IntegrationClick to enlarge
  • Click Save.

Step 2: Configure SSO in PRTG

Now that you have configured Okta, you now need to configure the SSO settings in PRTG accordingly. To do so, follow these steps.

  • Log in to the PRTG web interface.
  • Go to Setup | System Administration | Single Sign-On.
  • Under SSO Login, select Enable.
  • Under Provider, select Okta from the dropdown list.
  • Under Configuration Endpoint, enter the configuration endpoint URL as follows https://${yourOktaDomain}/oauth2/${authorizationServerId}/.well-known/oauth-authorization-server
    Note: Make sure to enter the Metadata URI that you can find under Security | API | <Your Authorization Server> in the Okta administrator console.
  • Click Load Configuration. This automatically fills in the values in the next four fields.

    Note
    : If this does not work, you must manually enter the values instead as follows. Also, make sure to replace ${yourOktaDomain} with the Okta domain of your application from the Okta administrator console and ${authorizationServerId} with your authorization server ID.
  • Under Scope, enter openid offline_access email profile. The required scopes are added by default after you add your authorization server. You can find the scopes of your authorization server under Security | API | &lt;Your Authorization Server&gt; in the Okta administrator console.
  • Under Application (Client) ID, enter the Client ID that you can find under Applications | Applications | <Your Application>.
  • Under Client Secret, enter the client secret that you can also find under Applications | Applications | <Your Application>.
  • Under Available Callback URLs, select the URLs that your users will use to log in to PRTG.

    Here is an example what the URLs should look like: https://myprtg.domain.com:443/cb. You will need to add these to the Sign-in redirect URIs under Applications | Applications | <Your Application> in section Login in the Okta administrator console.
  • If the URL your users use to log in to PRTG is not listed because PRTG is reachable via a different URL (for example, myPRTG.example.com for login but PRTG lists myPRTG.internal.example.com), you can use the option Manually enter a URL. PRTG still lists all available endpoints if needed for forwarding. You then need to add the URL to the Sign-in redirect URIs under Applications | Applications | <Your Application> in section Login in the Okta administrator console.

    Note
    : Okta and PRTG both check if the callback URLs are allowed. Make sure you configure each required URL on both ends; otherwise, you will not be able to log in.
  • Click Test Single Sign-On Authorization Endpoint and wait for the success message.

    Note: Make sure that you have opened the PRTG installation for which you want to test the single sign-on authorization endpoint via a URL that you have configured as a valid redirection URI in the Okta administrator console.
    PPTG User Group
    Click to enlarge
  • Click Save.

You have now configured SSO in PRTG.


Step 3: Add a user group in PRTG

Now that you have configured SSO, you need to add a new user group in PRTG.

  • Log in to the PRTG web interface.
  • Go to Setup | System Administration | User Groups.
  • Hover over the blue (+) button and select Add User Group.
  • Under User Group Name, enter a meaningful name for the group, for example Okta SSO.
  • Under Active Directory or Single Sign-On Integration, select Use single sign-on integration.
  • Under SSO Group Claim, enter the access claim for the SSO group. Enter the name of the group(s) that you want to grant access to your PRTG installation.
    PPTG User Group
    Click to enlarge
  • Click Create.

You have now successfully integrated Okta as SSO provider in PRTG.

Created on Apr 5, 2022 9:44:19 AM by  Florian Weik [Paessler Support]

Last change on Apr 13, 2022 7:56:35 AM by  Florian Weik [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Disappointing that the API Access management is required from the Okta side. Why is a custom authorization server needed? Why not use the default?

Created on May 8, 2022 7:58:38 PM by  dchristman (0)



Votes:

0

Your Vote:

Up

Down

Hello,

the custom server is more secure, this is why we use it here.

Created on May 10, 2022 11:21:55 AM by  Arne Seifert [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.