Require SAML for audience-specific pages

Single sign-on for audience-specific pages needs to be enabled by support. Contact support to get this feature turned on for your page. SSO for audience-specific pages does not allow the use of custom domains.

SSO for audience-specific pages allows you to completely lock down your status page to employees only and have them authenticate with existing SSO credentials to both view the page and subscribe to notifications. Statuspage officially supports several identity providers and can integrate with any IdP that speaks SAML 2.0.

Note: SSO for audience-specific pages comes with all private status pages. The number of SSO Employees is dependent upon your private page plan.

Set up SAML for page viewers

The following tutorial will take you through creating a custom SAML application to integrate with Statuspage SSO for Employee Viewers. We'll be creating a custom application within Okta for demonstration purposes. Keep in mind that these steps may differ slightly depending on your IdP setup.

  1. Click Your page in the left sidebar.

  2. Click Authentication from the second menu that opens in the left sidebar.

    • If you don't see the Authentication tab, this means SSO hasn't been enabled for your account. Contact us for help.

  3. Click Configure next to SAML.

  4. On top of this form, you'll see two values; ACS URL / Consumer URL and EntityID/Audience URL, These values will be needed within your IdP.

    • Alternately, you can click on service provider metadata XML file for this Organization to see the raw SAML metadata.

screenshot of SAML metadata

Audience-specific setup in Okta

You’ll need to configure your SAML assertion to map to an Audience-specific group. This requires configuration both in Statuspage, as well as in Okta.

When configuring SAML for an audience-specific page, you’ll notice that the Statuspage metadata requires two additional Attributes, one of which is called ‘groups’. When your Statuspage parses an incoming SAML Assertion, it parses out this value to determine what audience-specific group to match against for the incoming user. Configure your SAML assertion to send an Attribute called ‘groups’, which will either contain a group name or other unique identifier.

  1. Navigate to your Okta admin portal and open the Statuspage.io application.

  2. Select the Sign on tab.

  3. Click Edit.

  4. Select Regex in the groups dropdown and add ".*" to the text field next to it. The Regex setting allows filtering and will allow your Okta application to pass the user's group attribute.

  5. Click Save.

  6. Click on the Directory link.

  7. Select Profile Editor.

  8. Select or search for your Statuspage application and click the Edit Profile button.

  9. Click the +Add Attribute button.

  10. In the Display Name and Variable Name fields, enter the word "Groups".

  11. Check the Attribute Required checkbox.

  12. Click Save.

The Okta screen where you enter Regex information

Audience-specific setup in Statuspage

  1. Log in to your Statuspage management portal and select the Audience section. Make sure you are on the Groups tab and click the +Add Group button.

  2. Add a Group Name and the External Identifier from Okta. The External Identifier used here is the Group Name from Okta.

    • The Group Name within Statuspage can be anything, but the External Identifier needs to be the same as the corresponding Group Name within Okta.

  3. Open an Incognito/private browser window (this will ensure cached settings are not used) and navigate to your Statuspage. This will bring up the Okta login window.

  4. Login with the credentials of a user that belongs to the Group that was just created in Statuspage. If the setup and configuration is correct, the user will be logged in.

You've enabled single sign-on for your audience-specific Statuspage account.

Troubleshooting

The most common issue encountered when setting up SSO for audience-specific pages displays the following error message: Hmmm, Looks like you’re sending a valid assertion, but we couldn’t match your group identifier with a Page Access Group! Are you sending the right value?

This message means means that the user is not associated with an audience-specific group that is authorized to view your Statuspage. The main step to resolve this would be to ensure that the user is part of a Group in Okta that has been set up in Statuspage as well.

If you experience issues with the setup of Okta SSO for your audience-specific environment, please contact us.

Additional Help