This section describes how to integrate the OKTA IdP with Carbon Black EDR.

To integrate the OKTA IdP:

  1. Acquire metadata XML from the OKTA IdP and place it in the /etc/cb/sso directory on the Carbon Black EDR server host. (You are not required to use this directory, but it is a good default location.)

  2. On the Carbon Black EDR server, navigate to /etc/cb/sso and:

    1. Copy /etc/cb/sso/sso.conf.example.okta to /etc/cb/sso/sso.conf.

    2. Copy to

    3. Make appropriate changes to the file based on the attributes returned from Okta. Each configurable property is accompanied with additional inline documentation in the file to assist with this process.

  3. Review and edit the /etc/cb/sso/sso.conf file as described here.


    The syntax of the sso.conf configuration file must fully conform to the JSON data-interchange format. Failure to do so can create an invalid configuration file, which prevents the services from launching properly. When changes are made to this file and cb-enterprise is restarted, check /var/log/cb/coreservices/debug.log to make sure there are no errors.

    If an administrator configures the Single Logout (SLO) service in both the IdP Service and Endpoint sections and a user logs out of the Carbon Black EDR server, the user is also logged out of the Okta application. This effectively logs the user out of all Okta applications.

    1. Specify the file path to the location of the metadata XML from the OKTA IdP. For example:

      "metadata": {
            "local": [
              "<file path to location of IdP XML>"
    2. Make sure the attribute_mapper field has the path to the Python Mapper file:

      "attribute_mapper": "/etc/cb/sso/",

    3. Change the accepted_time_diff field if needed:

      "accepted_time_diff": 600,

    4. Update the service / sp / idp section with the appropriate appid from the OKTA IdP. For example:

      "service": {
       "sp": {
           "nameid_format": "urn:oid:",
           "idp": {
               "<appid>": {
    5. Update the single_sign_on_service and single_logout_service sections with the appropriate name and appid from the OKTA IdP For example:

      # URLs in this section MUST be updated to match the URLs defined by the
      # IdP you are integrating with
      "single_sign_on_service": {
       "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect": "<name>/<appid>/sso/saml"
      "single_logout_service": {
       "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect": "<name>/<appid>"
    6. In the endpoints section, update the assertion_consumer_service and single_logout_service fields with the appropriate IP address of FQDN of Carbon Black EDR. For example:

      "endpoints": {
         "assertion_consumer_service": {
            "https://<IP Address or FQDN of the CB Server>/api/saml/
         "single_logout_service": {
            "https://<IP Address or FQDN of the EDR Server>/api/saml/
      logout": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    7. Update the entityid field with the appropriate IP address or FQDN of the Carbon Black EDR server. For example:

      "entityid": "https://<IP Address or FQDN of the EDR Server>/",
    8. Search the sso.conf file for “TODO” and ensure that all “TODO” tasks are completed.

  4. Open the /etc/cb/cb.conf file and edit the SSOConfig property so that it contains the full path to the SSO configuration file that was previously created. This single property defines whether Carbon Black EDR server will be started in standalone vs. federated authentication mode.


    To deactivate SSO integration, comment out the SSOConfig property.

  5. Generate Carbon Black EDR’s SSO service provider metadata XML file by issuing this command:

    /usr/share/cb/cbssl sso --make-metadata > /<your file path>

  6. Give the XML file to the IdP to complete the trust.

  7. Restart the Carbon Black EDR server by issuing this command:

    sudo service cb-enterprise restart