Skip to main content

SSO

Foxglove organizations on the Team plan can require Google or Microsoft SSO for signin; Enterprise organizations can also use Okta SSO as their authorization provider.

Require using SSO

On the SSO settings page admins can select Google, Microsoft or Okta SSO as the organization's required authentication method. This disables signing in using all other providers, including email.

Okta signin

Available on the Enterprise plan. To start using Okta for SSO, an admin needs to configure the Foxglove organization on the SSO settings page.

Create Okta application

Create a new app integration on your Okta dashboard:

  • Sign-in method – OIDC - OpenID Connect
  • Application type – Single-Page Application
  • Grant type – Authorization code
  • Sign-in redirect URI – In https://app.foxglove.dev/{YOUR-FOXGLOVE-SLUG}/signin format (find YOUR-FOXGLOVE-SLUG on the Settings page)
  • Sign-out redirect URI – https://app.foxglove.dev/signin
  • Trusted Origins – Add https://app.foxglove.dev
  • Access – Note that "Federation Broker Mode" is incompatible with Okta tiles

Enable Okta application tile

Optionally, you can enable Okta application tile sign in using these settings:

  • Login initiated by – Either Okta or App
  • Login flow – Redirect to app to initiate login (OIDC Compliant)
  • Login URI – Same as the sign-in redirect URL in the previous step (https://app.foxglove.dev/{YOUR-FOXGLOVE-SLUG}/signin)
  • Application visibility – Display application icon to users

This Foxglove logo works well as a custom tile icon.

Foxglove OIDC configuration

Configure application settings on the SSO settings page:

Foxglove SSO settings

  • Okta domain – Find in the Okta dashboard's profile dropdown (xxxxx.okta.com)

    Okta domain

  • Client ID – Find in the Applications list, below the app name

    Okta clientId

Manage members

  • Provision members – Any Okta user with access to the Foxglove Okta application can sign in. A new Foxglove account is automatically created on first sign in.

  • Remove users – Revoke the user's access in Okta, then remove the associated user on Foxglove's Team settings page to sign them out of Foxglove immediately. If non-Okta sign in methods are enabled for your account, emails matching your approved domains can always sign up.