Okta Side:
1. Login to Okta admin panel
2. Navigate to Directory and select People
click Add person and enter the name of user and fill the details
3. Navigate to Directory and select Group
click Add group and enter the name of group (in my case sso_okta) and description if required
4. Select the group from list of groups and click Manage People
one can see all users on left side and all users in that group on right side.
one can select the user with '+' sign and add that user into that group
5. Navigate to Application and click the OKTA application. Select General and go to SAML settings and click Edit
6. In Group Attribute Statements, enter these details,
Name - memberOf
Filter - Starts with: sso_
one can use their own required filter
For example, two groups are configured in OKTA named sso_ngadmin and sso_app. One group has users who will have admin level access and other group will have user level access.
7. In Application-->OKTA application, go to Assignments, click Assign and select Assign to Groups.
8. Add Groups to the application and click Done.
Nodegrid Side:
1. Login as admin in Nodegrid (coordinator)
2. Go to Security::Authorization and add new group
Group Name must be same as Okta Group created in Okta config (sso_ngadmin in this case).
3. Give the required permission to that group for accessing the device.
Go to Security::Authorization select the group, navigate to Profile and give the required permission
4. Add devices and give the device permissions for that group (r/w/rw)
Go to Security::Authorization. Select the group and navigate to Devices. Add devices which need access
5. Save the changes.
6. Follow the steps 2-5 for second group
7. Navigate to Security::Services::General Services, enable the option Device access enforced via user group authorization
8. Click Save
Now login with the user from two different sso groups and test the devices and access assigned.
The user from sso_ngadmin will have all access.
The user from sso_app will have no access (user level access). It will only have access to the device it has been assigned to.