• Buy Now
    • Rackspace Cloud
    • Email & Apps
    • Fanatical Support for AWS
    • Managed Google Cloud Platform
    • Office 365
  • Log In
    • MyRackspace Portal
    • Cloud Control Panel
    • Rackspace Webmail Login
    • Cloud Office Control Panel
  • Rackspace Logo
  • Developer Home
  • Developer Documentation
  • Blogs ▼
    • Technical Blog
    • Rackspace Blog
    • Solve: Thought Leadership
  • Support Documentation

Developer Docs


Let’s Build Something Powerful Together!

End-to-End Multicloud Solutions.   Solving Together.™   Learn more at Rackspace.com

Submit an issue
  • Rackspace Identity Federation Guide
  • Overview
    • Features
    • Compatibility
    • Dedicated hosting
  • Getting started
    • Prerequisites
    • Summary of steps
      • Add Rackspace Federation to your identity provider
      • Add an Identity Provider
      • Configure the Attribute Mapping Policy
      • Log in
    • Concepts
  • Configure Third-Party SAML providers
    • Active Directory Federation Services
      • Configure ADFS
      • Attribute mapping for ADFS
    • Okta
      • Prerequisites
      • Configure Rackspace Federation at Okta
      • Okta metadata
      • Next steps
      • Optional settings
      • Attribute mapping for Okta
      • Mapping Okta groups to Rackspace
      • Mapping Rackspace permissions to Okta groups
      • Attribute policy mapping example
    • Other SAML providers
      • SAML configuration items
      • SAML attribute mapping
  • Configure Attribute Mapping
    • Required SAML attributes and mapping example
      • Required values
      • Setting values with Attribute Mapping
      • Example policy with required attributes
    • Assigning Rackspace permissions
      • Basic example
      • Permissions by groups
    • Permissions by groups example - Cloud
    • Permissions by groups example - Dedicated Hosting
    • Assigning Fanatical Support for AWS Permissions
      • Fanatical support for AWS permissions
      • AWS console and API permissions
      • AWS account creator permissions
      • Complete mapping policy example
    • Rackspace Cloud roles reference
  • Manage Identity Providers
    • Basic tasks
    • Update metadata and certificates
    • Update the Attribute Mapping Policy
  • Get support
    • Troubleshooting
      • Need to save a SAML response in the Chrome browser
      • Problems creating an Identity Provider
      • Problems logging in
      • Problems with roles or access
      • Other issues or questions
    • Get Rackspace support
  • Appendix: Attribute Mapping Policy Reference
    • Introduction
      • Technology background
      • What is Attribute Mapping?
      • Mapping Policy for Widget.com
    • Attribute mapping basics
      • The SAML assertion
      • Required attributes
      • Mapping attributes
      • Next steps
    • Attribute Mapping Examples
      • Working with defaults
  • Document history and additional information
    • Additional resources
    • Copyright and disclaimer

Attribute mapping for Okta#

Mapping users at Okta to permissions at Rackspace is necessary to ensure your users have access to the applications and permissions that they need.

Mapping Okta groups to Rackspace#

Assigning permissions based on groups is an efficient way to ensure you assign permissions properly to multiple users. You can use existing Okta groups or create Rackspace specific groups at Okta.

To send Okta group information to Rackspace, you can configure the Group Attribute Statements in your SAML application by completing the following steps:

  1. Log in to your organization's Okta account by using your organization's sign-in page.
  2. Click Applications located on the top ribbon.

3. Click your Rackspace Federation application. If you have not yet set this up, see instructions in the Configure Rackspace Federation at Okta section.

  1. Click the General tab for the application.

5. Scroll down to SAML settings section and click the Edit button. Skip the first page of the SAML wizard by clicking Next.

6. In the section Group Attribute Statements (Optional), enter a name for the group attribute statement in the Name field.

  1. Leave Name format set to Unspecified.

8. Choose a Filter option and enter the necessary details. For example, if you want to include all the user's groups that have the word rackspace in your SAML assertions, add a field with an appropriate name like groups, and select a regex filter with the value .*rackspace.*.

  1. Click Next then click Finish.

Mapping Rackspace permissions to Okta groups#

This section details how to map Okta groups to specific Rackspace attribute mapping policies. Attribute mapping policies determine the Rackspace roles and permissions assigned to Okta groups.

Update your Rackspace YAML (.yml) attribute mapping policy by using the following steps:

  1. Log in to the Rackspace Customer Portal.
  2. In the upper right area of the navigation bar, select Account > User Management from the drop-down menu. Alternately, browse directly to the User Management page in the Rackspace Account Management Control Panel.
  3. In the sub-navigation bar, select Identity Federation.
  4. Edit your Identity provider by clicking the name of the provider.
  5. Scroll down to the Attribute Policy Mapping section.

6. Download the .yml file and make any applicable edits. See the next section for an attribute policy mapping example .yml configuration.

  1. Click the Update button and upload the updated .yml file.

Attribute policy mapping example#

The following example shows a Rackspace YAML (.yml) attribute mapping policy that you can use when you configure your identity provider with Rackspace. This example assumes that you have a group named rackspace-billing with users that you want to access Rackspace billing services by using the billing:admin Rackspace role. See Rackspace Cloud roles for a full list of all Rackspace roles.

Notes:

  • Change the groups specified in the example to match your configured Okta groups.
  • Any YAML group name must match your Okta group name exactly.
  • At a minimum, remember to update the example's domain value to your Identity domain on the Identity Provider details page.
  • Validate that any values mapped to email and expire are properly specified for your specific SAML attributes or assertions. For example, in the following example policy, email is set by using the path ("{Pt}") syntax in the Attribute Mapping Policy language to point to the NameID attribute in the SAML assertion.
mapping:
  version: RAX-1
  rules:
    - local:
        faws:
          groups:
            multiValue: true
            value:
              - "{Ats(groups)}"
        user:
          domain: "your_domain_id_goes_here"
          # Update to your Identity Domain from the Identity Provider details page
          email: "{Pt(/saml2p:Response/saml2:Assertion/saml2:Subject/saml2:NameID)}"
          expire: PT4H
          # This would configure a maximum session duration of four hours,
          # you may wish to set this to a SAML provided value
          name: "{D}"
          # This value matches to the SAML attribute "name" by default.
          roles:
            - "{0}"
      remote:
        - multiValue: true
          path: |
              (
                if (mapping:get-attributes('groups')='rackspace-billing')
                then    'billing:admin' else ()
              )
          # Substitute these example groups with your own groups.

See Required SAML attributes for a detailed breakdown of each section of the YAML configuration.

Be sure to validate and modify the following items in your policy Attribute Mapping Policy:

  • The Okta groups that users belong to and to which you want to map specific Rackspace permissions
  • The expire value/path
  • The email value/path

For more examples and a complete guide to the Attribute Mapping Policy language, see the Appendix: Attribute Mapping Policy Reference.

Previous Prerequisites
Next Other SAML providers
Developer Network
  • Developer Center
  • API Documentation and User Guides
  • SDKs
  • Rackspace How-To
Blogs
  • Technical Blog
  • Rackspace Blog
  • Solve: Thought Leadership
Other Information
  • Customer Stories
  • Events
  • Programs
  • Careers
  • Style Guide for Technical Content
©2020 Rackspace US, Inc.
  • ©2020 Rackspace US, Inc.
  • About Rackspace
  • Privacy Statement
  • Website Terms
  • Trademarks