How to configure Okta SSO

Who can use this feature?
- Requires an Enterprise or Data Direct plan.
- Requires an admin role to configure.

Supported Features

The Okta Fullstory SAML integration currently supports the following features:

SP-initiated SSO
IdP-initiated SSO
Just-in-Time provisioning

Just-in-Time (JIT) Provisioning

Spend less time provisioning accounts and ensure only the right employees have access with Just-in-Time (JIT) provisioning for SAML. New users can be automatically provisioned when they first log in from your enterprise SAML SSO sign-in page.

Which SSO flows are supported?

We support both Service Provider-initiated SSO (in which users log in via a Fullstory login page) as well as Identity Provider-Initiated SSO (in which users log in from your IdP dashboard).

Mapping users to Fullstory roles

You can also automatically assign users to Fullstory roles based on information contained within your Identity Provider (IdP) system. We provide implementation details on this optional configuration in the customizing SSO section of this article.

How do I configure SSO?

Note: If you're setting up SSO for the first time in an Umbrella account, repeat these steps for each account in your Umbrella. If you enabled SSO in an Umbrella account prior to May 2020, please contact support for help managing your configuration.

1. Admin users can configure SSO in Fullstory under Settings > Account Management > SSO. Click 'Configure SSO' to get started.

Image 6-21-2022 at 12.55 PM.jpg

2. Enter your Connection Name. The Connection Name may be shown to unauthenticated users during the log-in process, so choose something intuitive like “Your Company Name SSO.”

Group 1 (15).png

3. Next, copy and paste the information provided–including the SSO URL, Audience URL/Entity ID, and Request Signing Certificate–into the Okta Fullstory App to generate a metadata.xml file.

Okta Configuration Steps

Our official Okta SAML app can be found here.

1. Copy your unique connection ID from your Fullstory SSO settings:

2. Paste it into the 'Unique connection ID' section in Okta. 

3. Click 'Next' and move onto the last section for Sign-On Options settings. 

4. You will leave the default Relay State' empty. Copy the 'Metadata URL' to access its contents. 

5. Copy and paste the contents of your IdP-generated metadata.xml file into Fullstory to complete the configuration.

Group 4 (7).png

* The following SAML attributes are configured:

   | Name      | Value          |
   | --------- | -------------- |
   | email     | user.email     |

SP-initiated flow

The sign-in process is initiated from Fullstory.

1. From your browser, navigate to the sign-in page: https://app.fullstory.com/sso/{unique-connection-id}


2. Enter your Okta credentials and click 'Sign in with Okta.'


If your credentials are valid, you will be redirected to the Fullstory dashboard.

How do I customize my SSO settings? 

After you configure SSO, customize your settings under Settings > Account Management > SSO.

Screenshot 2023-04-12 at 1.18.57 PM.png

In the 'Domains and Certificate' section, a Fullstory Admin can list their email domain.

If additional email domains need to be added, a teammate with the additional domain must be invited and granted admin access to add the additional domain.

After adding email domains, if any user enters a known domain that requires SSO, the Fullstory standard login page will recognize this and redirect that user to your SSO login page.

Requiring SSO for all teammates

When SSO is initially configured, it defaults to optional mode. In optional mode, users can log in with their Fullstory credentials or with SSO. At any time, your Fullstory Admin can toggle on “Require SSO for all teammates.” Once enabled, all users with a Standard, Admin, Architect or Umbrella Manager seat type will be required to log in with SSO.

Enabling just-in-time seat provisioning

Toggle on “Automatically create new user accounts" (just-in-time seat provisioning) to enable JIT. When enabled, new users can be automatically provisioned when they first log in from your enterprise SAML SSO sign-in page.

Please note: If role mapping is not configured, new users added via just-in-time provisioning will be assigned a Standard seat type.

Mapping users to roles via SAML attribute

You can also automatically assign users to Fullstory roles (Admin, Architect, Standard, Guest) based on information contained within your Identity Provider (IdP) system. This is an optional configuration that allows you to remove the extra step of updating the user’s permissions via the Settings UI. Learn about Fullstory roles

When using role mapping for a given org, we suggest enabling Require SSO for all teammates. If users log in using a different authentication method, their roles will not be updated. 

Follow these steps to set up the mapping:

  1. Navigate to Settings > Account Management > SSO. From the SSO configuration panel, toggle on the option to Map users to roles via SAML attribute.
    Configure your identity provider to send a new attribute in the SAML response
  2. Enter fullstoryRole as the name of your SAML attribute in Okta:
    1.png
  3. Navigate to Directory > Profile Editor.
  4. Search for Fullstory app, then click it.
  5. Click 'Add Attribute,' then enter the following:
    a. Display Name: fullstoryRole
    b. Variable Name: fullstoryRole
    c. Attribute required: Yes
    d. Click 'Save'

    Note: Attribute type: If you check Personal, it means that the current attribute will be available once you assign the user to the application and will not be available once you assign the group to the app.

    2.png
  6. Now when you assign a user (Assignments application tab) to the app provide the required value of the role. 3.png
  7. The following values are supported:
    • guest
    • standard
    • explorer
    • admin
    • architect
  8. The Umbrella Manager role is not supported. If your company uses the Umbrella Management (“Multi-org management”) capability, assign Umbrella Manager roles to users from the Umbrella Users UI in Settings, as described here.

Here is an example of the expected SAML attribute once role mapping is configured:

<saml2:Attribute Name="fullstoryRole" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
admin
</saml2:AttributeValue>
</saml2:Attribute>

Anything else I should know?

First, be sure to note your certificate expiration date. You’ll need to update your certificate manually before it expires under Settings > Account Management > SSO.

Second, deleting a user from your Identity Provider does not automatically delete them from your Fullstory team. You’ll also need to manually delete them from Fullstory.

 


Was this article helpful?

Got Questions?

Get in touch with a Fullstory rep, ask the community or check out our developer documentation.