This document will guide the configuration required in Nodegrid, and Okta.

Nodegrid currently supports SP-Initiated SSO, and IdP-Initiated SSO.

Create the Nodegrid Application in Okta

1. Log on to the Okta Admin Panel and navigate to Applications.
   
2. Click Add Application, then click on Create New App. See SAML Application Setup (https://developer.okta.com/docs/guides/saml-application-setup/overview/) for help.
   
3. Select Web as the Platform and SAML 2.0 as the Sign on method. Click Create.
   
4. Enter an App name, then click Next.
   
5. Fill out the following fields:
   

1. Single sign on URL: https://<IP>/saml/2-0/<IdP Name>
   

1.  IP: Insert Nodegrid’s IP
   
2.  IdP Name: Has to be the same as the Name field in Nodegrid
   

2. Audience URI (SP Entity ID): Must be the same as the Entity ID field from the Nodegrid’s configuration
   
3. Default RelayState: Leave it blank
   
4. Name ID format: Select Unspecified
   
5. Application username: Select Okta username prefix
   
6. Update application username on: Select Create and Update
   

6. To enable Group Mapping, under GROUP ATTRIBUTE STATEMENTS:
   

1. Name: memberOf. Name format: Unspecified.
   
2. Filter: Starts with sso_. (This will only get groups that start with prefix: sso_).
   

7. Click Next.
   
8. Select I’m an Okta customer adding an internal app. Check the This is an internal app that we have created box. Click Finish. 
   
9. Under Assignments, click on Assign, and choose what users or groups are going to have access to this App.
   
10. Under Sign On, click on View Setup Instructions.
    

11. Scroll down, and copy the xml data, and paste it to an XML file, or download the certificate, and copy the fields into Nodegrid.
    

Nodegrid Setup: Web Interface

1. Login as admin in the Nodegrid Web Interface 
   
2. Click on the 'Security' icon, then 'Authentication' tab 
   
3. Click on 'SSO' tab
   
4. If you copied Okta’s XML metadata and pasted it to an XML file, click on the 'Import Metadata' button. If you only downloaded the certificate, click on 'Add'.
   
5. Fill out all fields:
   

1. Name: Name of Identity Provider
   
2. Status: Status of Identity Provider
   

1. Only one Identity Provider can be enabled at a time
   

3. SSO URL:  Copy the SSO URL from the Okta Admin dashboard
   
4. Entity ID:  Unique ID of Service Provider
   
5. Issuer: Copy the Entity ID from the Okta Admin dashboard
   
6. x.509 Certificate: Upload okta.crt (Nodegrid does not accept .cert files) that was downloaded from Okta Admin dashboard. 
   
7. Icon: Choose an icon that will show on login page
   

6. After entering all the required information click Save.
   
7. This is an example of a valid configuration:
   

Nodegrid Group Setup: Web Interface

If group mapping is enabled in Okta, then the groups must also exist in Nodegrid. Here are the steps to create a group in Nodegrid:

1. Login as admin in the Nodegrid Web Interface 
   
2. Click on the 'Security' icon, then 'Authorization' tab
   
3. Add group (Name must match group name in Okta)
   
4. Click on the newly added group, go to Profile tab
   
5. Under System Permissions, add permissions for the group. 
   

Verify SSO

1. Go to your Nodegrid
   
2. On the login page, there should be a Login with button with the Identity Provider's chosen icon
   
3. Click on the button
   
4. This redirects you to Okta’s login page
   
5. Enter your primary directory logon information
   
6. Pass Okta’s two-factor authentication
   
7. Get redirected back to Nodegrid after authenticating