Configure SAML 2.0 for FleetDM

This guide provides instructions on configuring SAML Single Sign-On (SSO) for FleetDM in the Okta Org.

Contents

• Prerequisites
• Supported features
• Configuration steps
• Verify SP-initiated SSO
• Supported SAML attributes
• Notes

---

Prerequisites

• An Okta admin role that has permission to manage apps.
• An admin access to your FleetDM app.
• A FleetDM premium access to enable JIT and RBAC.

Supported features

FleetDM supports the following features when integrated with Okta:

• SP-initiated SSO
• IdP-initiated SSO
• Just-In-Time (JIT) provisioning

Configuration steps

Follow these steps to configure SAML 2.0 for FleetDM.

Integrate FleetDM with Okta

1. Sign in to Okta.
2. In the Admin Console, go to Applications > Applications.
3. Click Browse App Catalog.
4. Search for and select FleetDM and then click Add Integration.
5. Enter a label for the app, and then click Done.
6. Under the General Settings, configure the following:
   • Fleet instance base URL: Enter your base URL without the “https://” prefix or trailing slash. For example, if the URL is https://example.fleetdm.com/, then enter the base URL as example.fleetdm.com.
   • Entity ID: Enter a unique URI that identifies your FleetDM instance as the issuer. For example, fleet.
7. Under Retrieve Metadata, go to the Sign On (or Authentication) tab and scroll to SAML 2.0 configuration.
8. Copy the Metadata URL and store them securely for the next step.

Configure SSO in FleetDM

1. Sign in to FleetDM.
2. Go to Settings > Integrations > Single sign-on (SSO) > Fleet users.
3. Enter the following information:
   • Identity Provider Name: Enter a human-readable name. For example, Okta. This appears on the login button.
   • Entity ID: Enter the exact URI used in the Entity ID field in Okta. These values must match perfectly.
   • Metadata URL: Paste the metadata URL retrieved from your Okta app settings.

Verify SP-initiated SSO

SP-initiated SSO allows users to sign in to Okta directly from FleetDM.

1. Sign in to FleetDM (for example, https://<your-fleet-url>/login).
2. Click Sign in with Okta.
3. You're redirected to the sign-in page for your org.

Note: The IdP name dynamically reflects the value entered in the Identity provider name field when configuring Single Sign-On (SSO) within FleetDM.

Supported SAML attributes

FleetDM supports the following SAML attributes:

Name	Value
userName	user.userName
firstName	user.firstName
lastName	user.lastName

Notes

• Just-in-Time (JIT) Provisioning: For detailed instructions on enabling JIT user provisioning, refer to the Fleet JIT Documentation.

• Custom User Roles: To implement and customize specific user roles within FleetDM, refer to the Fleet Customization Guide.

• Optional Attributes: To send additional or optional attributes through SAML assertion for the FleetDM OIN app, refer to the following Okta support resources:

  • Define Attribute Statements (Okta Documentation)
  • Passing Extra Attributes in SAML OIN Apps (Okta Support)