Register Elastic Cloud SAML in Okta

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

To configure Elastic Cloud SAML SSO with Okta as the identity provider (IdP):

Create a new SAML 2.0 application in Okta.
1. Provide a name for the application and initially use placeholder SAML settings such as http://example.com/sso and http://example.com/sp for the SSO URL and audience URI.
2. Add attribute statements for your organization members' email addresses. These addresses should match the domains that you claimed per Claim a domain. Optionally add first and last names, which will be used to set the respective fields of the user’s Elastic Cloud account.
Save the application.
Collect information about the application from the Okta Sign on tab.
1. Get the SAML issuer and the SSO URL, which is the URL of the IdP where users will be redirected at login.
2. Download the signing certificate of the SAML 2 application.

For example:

curl -XPUT \
-H 'Content-Type: application/json' \
-H "Authorization: ApiKey $EC_API_KEY" \
"https://api.elastic-cloud.com/api/v1/organizations/$ORGANIZATION_ID/idp" \
-d '
{
  "enabled": true,
  "login_identifier_prefix": "<businessname>", 
  "name": "SSO with <businessname>",
  "saml_idp": {
    "public_certificate": [ 
      "<publiccert>"
    ],
    "issuer": "<issuer>", 
    "sso_url": "<ssourl>", 
    "subject": {
      "format": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" 
    }
  }
}
'

	`login_identifier_prefix` is a customizable piece of the Elastic Cloud SSO url that your organization members can use to authenticate. This could be the name of your business. You can use alphanumeric characters and hyphens in this value and you can change it later.
	`public_certificate` is the Base64-encoded DER-encoded certificate that you downloaded. You must remove newlines and any PEM markers (such as `-----BEGIN CERTIFICATE-----` or `-----END CERTIFICATE-----`) so that the certificate is a single-line Base64-encoded string.
	`issuer` is the "Issuer" obtained from the Okta Sign on tab.
	`sso_url` is the "Sign on URL" obtained from the Okta Sign on tab.
	`format` is the SAML name-id format to use.

If successful, the API will return the details that will need to be provided to the IdP. For example:

{
	"login_identifier": "<loginidentifier>",
	"sso_login_url": "https://cloud.elastic.co/login/sso/<loginidentifier>", 
	"metadata_url": "https://cloud.elastic.co/api/v1/organizations/<orgid>/idp/metadata.xml",
	"acs": "<acs>", 
	"sp_entity_id": "https://cloud.elastic.co/organizations/<orgid>", 
	"signing_certificate": [ 
		"<cert>"
	]
}

	`sso_login_url` is the URL you can provide to organization members to initiate SSO with your Elastic Cloud organization.
	`acs` is the SAML assertion consumer service that your SAML IdP should send SAML assertions.
	`sp_entity_id` is the SAML entity ID of the service provider that your SAML IdP should send in the SAML audience.
	`signing_certificate` is the Base64-encoded DER-encoded certificate that SAML requests to your IdP will be signed with.

Update your SAML 2 application in Okta to use the values returned by the registration API.
1. Set the single sign-on URL to the ssl_login_url.
2. Set the audience URI (SP entity ID) to the sp_entity_id.
3. Upload the signing_certificate as the signature certificate.

When these steps are complete, you should be able to test SSO as described in Configure Elastic Cloud SAML SSO.

« Configure Elastic Cloud SAML single sign-on Register Elastic Cloud SAML in Microsoft Entra ID »