Okta (SAML2.0) - Web Console

This guide details authentication between Genian NAC (Service Provider), and Okta (Identity Provider).

SSO is achieved by invoking Okta authentication using the SAML2.0 protocol on the Genian NAC web console page and checking Okta for administrator authentication.

Prerequisites

The current version does not support JIT provisioning, so you cannot authenticate without a administrator created in Genian NAC (SP). Please create a administrator in NAC first.

Supported features

The Okta SAML integration currently supports the following features:

  • SP-initiated SSO
  • IdP-initiated SSO

For more information on the listed features, visit the https://help.okta.com/okta_help.htm?type=oie&id=ext_glossary

Configuration steps

The following steps provide only a basic integration, which will be automatically applied after the first setup.

Step 1: Register an Okta account (If needed)

  1. Go to https://www.Okta.com/free-trial/ and apply for a trial account.

    Select your information and country you want to use for authentication.

  2. Check the authentication mail received at the email address you requested.

    An account information confirmation mail will be sent to the requested email address under the title 'Activate your Okta account'.

  3. Click the Activate Okta Accout button for activating your account.

    When you log in, you will see a screen that sets the initial password change, security image, and security questions.

    Okta console connection requires OTP 2factor authentication and requires iPhone, Android OTP app installation and OTP registration.

    Once you have completed OTP registration and login, SAML APP setup for interworking will now begin.

Step 2: Add and set up SAML APP for authentication integration

General tab (enter SP information for Genian NAC in Okta APP)

  1. In the menu, navigate to Applications > Applications.
  2. Click the blue Create App Integration button among the buttons on the screen.
  3. In the pop-up screen, select SAML 2.0 and click the Next button.
  4. Type the name and logo of the APP to be used for integration with NAC and click the Next button.
  5. In the Single sign-on URL entry, enter a value for the Genian NAC Web Console > Preferences > General > Console > SAML2 Authentication > Identity Provider (IdP) > SP ACS URL.
  6. In the Audience URI (SP Entity ID) entry, enter a value for the Genian NAC Web Console > Preferences > General > Console > SAML2 Authentication > Identity Provider (IdP) > SP Entity ID and click the Next button.
  7. In the Feedback tab, the Are you a customer or partner? item checks i'm an Okta customer adding an internal app .
  8. Click the Finish button.

Sign On tab (enter IDP information in Genian NAC)

  1. Click the Sign on methods > SAML 2.0 > More details button in the middle of the screen to view IdP information.
  2. Copy and paste the following details into the Genian NAC Web Console > Preferences > General > Console > SAML2 Authentication > Identity Provider (IdP).
    • IdP SSO URL - the Identity Provider Sign on URL from Okta.
    • IdP Entity ID - the Identity Provider Issuer from Okta.
    • x509 Certificate - download the Signing Certificate from Okta and copy and paste the contents of the file.
  3. In Sign in button text, enter the text that will appear on the SAML authentication button in the NAC Web Console Authentication page.
  4. Click the Update button at the bottom of the Genian NAC Web Console Settings screen.

Step 3: Adding and assigning accounts for Okta Authentication Integration

If you are already registered, go to number 5

  1. Go to the Okta Console screen menu Directory > Groups.

  2. Click the Add Group button in the middle of the screen to create a group.

  3. Go to the Okta Console Screen Menu Directory > People

  4. Click the Add Person button in the middle of the screen to add users.

    Note

    The Password entry selects whether the administrator should specify a password to create or change it at the user's initial login.

  5. Go to the Okta Console screen menu Application > Application.

  6. Click the triangle icon on the right side of the APP that you registered above and click Assign to Users

  7. On the pop-up screen, click the Assign button on the right side of the account to be used for authentication integration through the APP to assign it to the APP.

Authentication Integration Test

How to test on Okta My Apps (IdP-initiated SSO)

  1. Connect to the Okta My Apps and click the NAC SAML App.

How to test on the Genian NAC Admin Web Console page (SP-initiated SSO)

  1. Connect to the Genian NAC Admin Web Console sign in page.
  2. Click the SAML Login button on the sign in page.
  3. A new pop-up window displays the Okta authentication page and authenticates by entering your username and password.

Note

After setting up the authentication link, you must add the OKTA IdP domain to the enforcement policy permissions to display the authentication link window even in the blocked state.

1. To add permissions
2. Go to Policy > Object > Network
3. Click Task > Create
4. Enter general information
5. Condition > FQDN > Enter IdP Domain (e.g. genians.okta.com)
6. Click Create
7. Go to Permission
8. Create permissions using network objects that you create
9. Assign permissions that you create in a enforcement policy