okta (SAML2.0) - Web Console
This guide details authentication between Genian NAC (Service Provider), and okta (Identity Provider).
SSO is achieved by invoking okta authentication using the SAML2.0 protocol on the Genian NAC web console page and checking okta for administrator authentication.
Recommended Version
Product | Version |
---|---|
Genian NAC PolicyServer | V5.0 |
okta APP | SAML2.0 |
Prerequisites
Supported features
The okta SAML integration currently supports the following features:
- SP-initiated SSO
- IdP-initiated SSO
- JIT (Just-In-Time) provisioning
- Single Logout (SLO)
- Signed Requests
For more information on the listed features, visit the https://help.okta.com/okta_help.htm?type=oie&id=ext_glossary
Configuration steps
The following steps provide only a basic integration, which will be automatically applied after the first setup.
Step 1: Register an okta account (If needed)
Go to https://www.okta.com/free-trial/ and apply for a trial account.
- Select your information and country you want to use for authentication.
Check the authentication mail received at the email address you requested.
- An account information confirmation mail will be sent to the requested email address under the title 'Activate your okta account'.
Click the Activate okta Accout button for activating your account.
- When you log in, you will see a screen that sets the initial password change, security image, and security questions.
- okta console connection requires OTP 2factor authentication and requires iPhone, Android OTP app installation and OTP registration.
- Once you have completed OTP registration and login, SAML APP setup for interworking will now begin.
Step 2: Add and set up SAML APP for authentication integration
In the menu, navigate to Applications > Applications.
From the Browse App Catalog menu, search for the Genians NAC application and select application.
Click the "Add Integration".
Enter an application label.
Select the Sign On tab
In the Base URL field, enter the URL of the NAC policy server, as shown in the example below.
- e.g. https://test.genians.net/mc2
Click the Settings > Sign on methods > SAML 2.0 > More details button to view IdP information.
Copy and paste the following details into the Genian NAC Web Console > Preferences > General > Console > SAML2 Authentication > Identity Provider (IdP).
- IdP SSO URL - the Identity Provider Sign on URL from okta.
- IdP Entity ID - the Identity Provider Issuer from okta.
- x509 Certificate - download the Signing Certificate from okta and copy and paste the contents of the file.
To enable JIT provisioning, you need to set up 'On' JIT provisioning in NAC
In the NAC UI, JIT provisioning > Additional columns , click the Add button to set the Username and Email for the user account. The Username attribute will be used to populate the first and last name of the Genian NAC account that is provisioned. The Email attribute will be used to populate both the username and email for the account.
For User Name, enter: {firstName} {lastName}.
- Brackets are required for multiple attributes
For Email, enter: email.
- The above attributes are already defined on okta and will be used during account provisioning..
- Attributes other than the predefined ones can be added using the Attributes (Optional) menu.
In the NAC UI, JIT provisioning > Administrator Roles, Click the Add button to add an administrative role.
Please enter the name _ADMINROLE_superAdmin, which is set in the Configured SAML Attributes section of okta.
To add other administrative roles, you'll need to set up other role groups through Group Attribute Statements by clicking Attributes (Optional) in okta.
To enable JIT provisioning, you need to set up Group Attributes.
You must specify this by prefixing the name with _ADMINROLE_, as shown in the example below.
The name after _ADMINROLE_ must be the same (case sensitive) as the Administrator Role ID created in NAC (e.g. superAdmin, auditor).
The Configured SAML Attributes entry has _ADMINROLE_superAdmin set. You can do this by setting up a Group that roles as superAdmin.
Name Filter _ADMINROLE_superAdmin Equals superAdmin Please refer to the Step 3 Add Group description below for the group name.
To enable Single Logout(SLO), you need to set up 'On' Single Logout(SLO) in NAC
In okta, go to Sign on > Settings and check Enable Single Logout.
Download the SP X.509 certificate and upload it to Signature Certificate in okta. You need the SP's certificate to use the SLO feature.
IdP SLO URL - the Identity Provider Single Logout URL from okta.
- If the Single Logout URL is not visible on the okta screen, please ensure that the Enable Single Logout setting is checked and then click the Save button.
- Return to the Sign On tab and verify the Single Logout URL.
To enable Signed Requests, you need to set up 'On' Signed Requests in NAC
- For Signed Requests, you need to set up SAML through okta's Applications > Create App Integration to enable the feature.
- Download the SP X.509 certificate and upload it to Signature Certificate in okta. You need the SP's certificate to use the Signed Requests feature.
- Set up the Signed Requests entry in okta's SAML Settings.
In Sign in button text, enter the text that will appear on the SAML authentication button in the NAC Web Console Authentication page.
Click the Update button at the bottom of the Genian NAC Web Console Settings screen.
Note
Make sure that you entered the correct value in the Base URL field under the Sign On tab. Using the wrong value will prevent you from authenticating via SAML to NAC. e.g. https://test.genians.net/mc2
Step 3: Adding and assigning accounts for okta Authentication Integration
If you are already registered, go to number 5
Go to the okta Console screen menu Directory > Groups.
Click the Add Group button in the middle of the screen to create a group.
For JIT provisioning functionality, you need to create an Administrator Role Group. (e.g. superAdmin)
ID description superAdmin Super administrator auditor Audit administrator You can see all the administrative roles offered by NAC in Preferences > User Authentication > Administrator Role.
Go to the okta Console Screen Menu Directory > People
Click the Add Person button in the middle of the screen to add users.
- For users who require JIT provisioning, you should select the Group created in step 2.
Note
The Password entry selects whether the administrator should specify a password to create or change it at the user's initial login.
Go to the okta Console screen menu Application > Application.
Click the triangle icon on the right side of the APP that you registered above and click Assign to Users
On the pop-up screen, click the Assign button on the right side of the account to be used for authentication integration through the APP to assign it to the APP.
Authentication Integration Test
How to test on okta My Apps (IdP-initiated SSO)
- Connect to the okta My Apps and click the NAC SAML App.
How to use App Embed Link (IdP-initiated SSO)
- Moving to the bottom of the General tab screen in okta provides an App Embed Link.
- You can sign into NAC through that link.
How to test on the Genian NAC Admin Web Console page (SP-initiated SSO)
- Connect to the Genian NAC Admin Web Console sign in page.
- Click the SAML Login button on the sign in page.
- A new pop-up window displays the okta authentication page and authenticates by entering your username and password.
How to test Single Logout (SLO)
- Enable the SLO feature.
- Authenticate using the SSO functionality.
- Log out using the logout button at the top of the web console.
- If you're prompted to enter your okta account information when you try SAML authentication again, the SLO worked correctly.
Note
After setting up the authentication link, you must add the okta IdP domain to the enforcement policy permissions to display the authentication link window even in the blocked state.
1. To add permissions 2. Go to Policy > Object > Network 3. Click Task > Create 4. Enter general information 5. Condition > FQDN > Enter IdP Domain (e.g. genians.okta.com) 6. Click Create 7. Go to Permission 8. Create permissions using network objects that you create 9. Assign permissions that you create in a enforcement policy