How to authorize OKTA groups in Nodegrid
Okta Side:
1. Login to Okta admin panel
2. Navigate to Directory and select People
click Add person and enter the name of user and fill the details
3. Navigate to Directory and select Group
click Add group and enter the name of group (in my case sso_okta) and description if required
4. Select the group from list of groups and click Manage People
one can see all users on left side and all users in that group on right side.
one can select the user with '+' sign and add that user into that group
5. Navigate to Application and click the OKTA application. Select General and go to SAML settings and click Edit
6. In Group Attribute Statements, enter these details,
Name - memberOf
Filter - Starts with: sso_
one can use their own required filter
For example, two groups are configured in OKTA named sso_ngadmin and sso_app. One group has users who will have admin level access and other group will have user level access.
7. In Application-->OKTA application, go to Assignments, click Assign and select Assign to Groups.
8. Add Groups to the application and click Done.
Nodegrid Side:
1. Login as admin in Nodegrid (coordinator)
2. Go to Security::Authorization and add new group
Group Name must be same as Okta Group created in Okta config (sso_ngadmin in this case).
3. Give the required permission to that group for accessing the device.
Go to Security::Authorization select the group, navigate to Profile and give the required permission
4. Add devices and give the device permissions for that group (r/w/rw)
Go to Security::Authorization. Select the group and navigate to Devices. Add devices which need access
5. Save the changes.
6. Follow the steps 2-5 for second group
7. Navigate to Security::Services::General Services, enable the option Device access enforced via user group authorization
8. Click Save
Now login with the user from two different sso groups and test the devices and access assigned.
The user from sso_ngadmin will have all access.
The user from sso_app will have no access (user level access). It will only have access to the device it has been assigned to.
Note: Okta user will see the permissions depends on the settings in Security::Authorization::<Group_Name>::Profile
Related Articles
How to configure Nodegrid for OKTA in cluster
Single Sign-on (SSO) enables users to authenticate with multiple applications using only one set of credentials. Nodegrid can also be configured for OKTA in cluster so okta user can login in the coordinator and the user can access the connected ...How to Configure Okta in Nodegrid
How to configure Single Sign-On authentication in Nodegrid using Okta This document will guide the configuration required in Nodegrid, and Okta. Nodegrid currently supports SP-Initiated SSO, and IdP-Initiated SSO. Create the Nodegrid Application ...Add Timeout value to OKTA SSO profile
Nodegrid has default timeout value for all sessions in System::Preferences Session Idle Timeout option. Although, there is a way one can set custom timeout value for service like OKTA. OKTA is a customizable and secure solution to add authentication ...Associating Authorization Groups with Grouping of devices
Authorization groups association can provide an efficient way to assign access to resources on your device. Using groupings, you can, for example, assign user rights to groups on Nodegrid. Follow the link for how to video Associating Authorization ...Associating Authorization Groups with Groupings of Devices
Privileges of users can be modified by profiles and access rights in authorization group. Each user must have an account in nodegrid or in external authentication server. Follow these steps, 1. Login as admin and go to Security::Authorization ...