Nowadays, staff in organizations are required to access multiple applications in their infrastructure. This can lead to the user having to manage multiple login credentials and passwords. There are many solutions available that provide a single sign-on (SSO) capability — such as Okta, LDAP, and Active Directory — which is becoming common practice across businesses.

In this post, I will give a step-by-step guide on how to connect Puppet Enterprise to Okta using SAML. This will allow you to use the same credentials to log in to the application as you use for other applications integrated with Okta. The "User ID" and password are stored centrally, meaning that you don't have to manage separate credentials to access the Puppet Enterprise Console.

Why connect Puppet Enterprise to Okta?

You may be wondering why you’d want to connect Puppet Enterprise to Okta. Okta enables you to log in to a single application without being required to enter your credentials for any other application that has been integrated.

If you have multiple applications running on premise, in the cloud or on a secure network, managing access with SSO provides a single entry point for those applications on your infrastructure. This simplifies securing access to Puppet Enterprise and, with the correct RBAC permissions configured in the Console, will allow users the right level of access for managing the platform.

What’s SAML?

First things first: What’s SAML? Security Assertion Markup Language (SAML) is the authentication protocol that is used for integration by enabling communication between the identity provider (idP) — in this case, Okta — and the service provider. The Puppet Enterprise console is then accessed with trusted information. meaning that the user only has to authenticate once; the idP service is used to store and maintain user information for each single login.

Connecting Puppet Enterprise to Okta

Connecting Puppet Enterprise to a SAML idP is possible as of version 2021.2.0 and in this blog I will demonstrate how to integrate Okta with Puppet Enterprise. I will be using a development Okta instance. You can also request an instance from the vendor’s website.

Once you have an instance and can connect to it from Puppet Enterprise, you are ready to proceed.

The very first step is to log in to Puppet Enterprise with an administrator account, then from the left menu under "Admin" click "Access control" and select the "SSO" tab.