Skip to content

Identity Providers

Satori integrates with identity providers to enrich its identity context and deliver better analytics and more accurate access control policies. Satori interacts with identity providers either via API or by using the SAML protocol.

API-Based Integrations

In API-based integrations, customers provision an API token for Satori to access the identity provider and fetch additional information about the user, like groups. API-based integrations are supported in both single sign-on and non-single sign-on flows, and are less dependent on the type of data store. The only requirement is that the credentials used to authenticate to the data store can be used to lookup information about the user. For example, if John Smith's user ID in the identity provider is john.smith@example.com and John is using the same ID to connect to the data store, Satori will be able to lookup John in the identity provider.

Okta API Integration

The Okta API token needs either a Group Admin or Read-Only Admin permissions. To create an API token for Satori to access Okta follow these steps:

  • Go to your Okta console and access the admin view. Your Okta console should be available in https://<your_okta_hostname>.okta.com
  • Select API and then Tokens
  • Select Create Token
  • Provide a name for the token and select Create Token
  • Copy the token value

Follow these steps to set the API token in Satori and enable Okta for your data store:

  • Go to the Satori management console
  • Select Identity Providers under Account Setting, Add and then Okta
  • Enter your:
    • Okta hostname, for example: https://acme.okta.com
    • API token, for example: 12H-VciTZ_1ZBD8TpMWfXBh00WcaXeuqookQRafock.
  • Select Test to check if the configuration is correct. If not, a detailed error message would appear
  • Select the data stores you want Satori to use Okta on.

AzureAD API Integration

The Azure API integration requires:

  • Tenant ID
  • Enterprise application and its Application ID (as a client ID)
    • Enterprise application can be created at Azure Active Directory service -> Enterprise applications.
    • Assign following permissions to this application at Azure Active Directory service -> API permissions
    • https://graph.microsoft.com/User.Read.All
    • https://graph.microsoft.com/GroupMember.Read.All
    • Make sure you "Grant admin consent for Tenant Name" and status is Granted.
  • Client secret for above application
    • Client secret can be created at Azure Active Directory service -> App registrations -> Certificates & secrets

Follow these steps to set the API token in Satori and enable Azure for your data store:

  • Go to the Satori management console
  • Select Identity Providers under Account Setting, Add and then Azure Active Directory API

  • Enter your:

    • Tenant ID, for example: ee718de2-b2b3-43da-9331-b40504c57f49
    • Application (client) ID, for example 293691c5-0b43-4f07-8e5c-771c75ec6c4b
    • Client secret, for example: 12H-VciTZ_1ZBD8TpMWfXBh00WcaXeuqookQRafock

  • Select Test to check if the configuration is correct. If not, a detailed error message would appear

  • Select the data stores you want Satori to use Azure Active Directory API on.

OneLogin API Integration

OneLogin's integration binds the detected user email to the group that the user is assigned to.

The OneLogin API integration requires:

  • Client ID
  • Client Secret

The Client ID and Secret can be created at the following location Developers -> API Access. The new API credentials should receive at least a Read users access.

Perform the following steps to set the API credentials in Satori and enable the OneLogin for your data store:

  • Go to the Satori management console
  • Select the Identity Providers under the Account Setting, Add and then choose the OneLogin API.
  • Enter your API Credentials
    • Client ID, for example: 410d1909535ef70149ac34f706277082951215b30bdd114608a7499fd4875772
    • Client Secret, for example: ba92c053174590ebeb0332b5c83aa6a4367bca4be816e2ba9c538e4d640b2b8d
  • Select Test to check if the configuration is correct. If not, a detailed error message will appear.
  • Select the data stores that you want Satori to use on the OneLogin API.

SAML-Based Integration

In SAML-based integrations, customers configure their identity provider to send additional information about the user as part of the SAML assertions sent when a user logs in. The advantage of this integration is that there's no need to provision an API token for Satori to the identity provider, however it requires that the data store supports SAML-based authentication.

To define policies that use an identity provider group, use the Identity Provider Group tag.

Okta SAML-Based Integration

To send additional information about the user from Okta, follow these steps:

  • Go to your Okta console and access the admin view. Your Okta console should be available in https://<your_okta_hostname>.okta.com
  • Select the application you use to enable access to a Satori-protected data store
  • Edit the application and go to the Configure SAML step
  • In the GROUP ATTRIBUTE STATEMENTS (OPTIONAL) section, add an attribute named groups and Unspecified for the Name format field. In the Filter field, select the desired option to provide filter which group names will be sent. To send all groups, select Matches regex with value .*.

Screenshot

Okta groups are shown in Satori by their unique name, for example: Security Team.

AzureAD SAML-Based Integration

To send additional information about the user from AzureAD, follow these steps:

  • Go to your AzureAD console and access the Enterprise Application view.
  • Select the application you use to enable access to a Satori-protected data store.
  • Select the Single sign-on view and press Edit in the User Attributes & Claims section.
  • Select Add a group claim, and in the Group Claims panel select which groups associated with the user to send in the claim.
  • In the Advanced options section, check the Customize the name of the group claim checkbox and in the Name field enter groups.

Screenshot

AzureAD groups are shown in Satori by their unique ID, for example: 1053707e-fdac-4af7-8d98-2347dfd79052.

OneLogin SAML-Based Integration

To send additional information about the user from OneLogin, follow these steps:

  • Go to your OneLogin console and access the SAML application.
  • In the Parameters tab, add a new parameter.
  • Set the name of the parameter to groups and check the Include in SAML assertion flag.
  • Select the value of the parameter, for example, Member Of and select Save.

Screenshot