This document will guide the configuration required in Nodegrid, and Okta.
Nodegrid currently supports SP-Initiated SSO, and IdP-Initiated SSO.
Create the Nodegrid Application in Okta
- Log on to the Okta Admin Panel and navigate to Applications.
- Click Add Application, then click on Create New App. See SAML Application Setup (https://developer.okta.com/docs/guides/saml-application-setup/overview/) for help.
- Select Web as the Platform and SAML 2.0 as the Sign on method. Click Create.
- Enter an App name, then click Next.
- Fill out the following fields:
- Single sign on URL: https://<IP>/saml/2-0/<IdP Name>
- IP: Insert Nodegrid’s IP
- IdP Name: Has to be the same as the Name field in Nodegrid
- Audience URI (SP Entity ID): Must be the same as the Entity ID field from the Nodegrid’s configuration
- Default RelayState: Leave it blank
- Name ID format: Select Unspecified
- Application username: Select Okta username prefix
- Update application username on: Select Create and Update
- To enable Group Mapping, under GROUP ATTRIBUTE STATEMENTS:
- Name: memberOf. Name format: Unspecified.
- Filter: Starts with sso_. (This will only get groups that start with prefix: sso_).
- Click Next.
- Select I’m an Okta customer adding an internal app. Check the This is an internal app that we have created box. Click Finish.
- Under Assignments, click on Assign, and choose what users or groups are going to have access to this App.
- Under Sign On, click on View Setup Instructions.
- Scroll down, and copy the xml data, and paste it to an XML file, or download the certificate, and copy the fields into Nodegrid.
Nodegrid Setup: Web Interface
- Login as admin in the Nodegrid Web Interface
- Click on the 'Security' icon, then 'Authentication' tab
- Click on 'SSO' tab
- If you copied Okta’s XML metadata and pasted it to an XML file, click on the 'Import Metadata' button. If you only downloaded the certificate, click on 'Add'.
- Fill out all fields:
- Name: Name of Identity Provider
- Status: Status of Identity Provider
- Only one Identity Provider can be enabled at a time
- SSO URL: Copy the SSO URL from the Okta Admin dashboard
- Entity ID: Unique ID of Service Provider
- Issuer: Copy the Entity ID from the Okta Admin dashboard
- x.509 Certificate: Upload okta.crt (Nodegrid does not accept .cert files) that was downloaded from Okta Admin dashboard.
- Icon: Choose an icon that will show on login page
- After entering all the required information click Save.
- This is an example of a valid configuration:
Nodegrid Group Setup: Web Interface
If group mapping is enabled in Okta, then the groups must also exist in Nodegrid. Here are the steps to create a group in Nodegrid:
- Login as admin in the Nodegrid Web Interface
- Click on the 'Security' icon, then 'Authorization' tab
- Add group (Name must match group name in Okta)
- Click on the newly added group, go to Profile tab
- Under System Permissions, add permissions for the group.
Verify SSO
- Go to your Nodegrid
- On the login page, there should be a Login with button with the Identity Provider's chosen icon
- Click on the button
- This redirects you to Okta’s login page
- Enter your primary directory logon information
- Pass Okta’s two-factor authentication
- Get redirected back to Nodegrid after authenticating