okta (SAML2.0) - CWP

This guide provides the configuration method for performing the authentication integration function between okta and Genian NAC, a network access control system.

Through APP integration of Genian NAC and okta solution, you can perform user authentication via okta without needing to manage Genian NAC's own user DB.

For user authentication, okta authentication is called from the Genian NAC CWP page using the SAML2.0 protocol, and okta verifies the user authentication status to achieve successful SSO.

Recommended Versions

Product Name (Component)	Version	Notes
Genian NAC (Policy Server)	V5.0 or higher	Release version after 2020.05
okta APP	SAML2.0	Integrable as of 2021.05

Purpose of Integration

The integration of Genian NAC and okta provides the following effects:

• No need for separate user DB management for NAC, okta individual authentication.
• NAC authentication possible using okta account.

Supported Features

okta SAML App integration supports the following features:

• SP-initiated SSO
• IdP-initiated SSO
• JIT (Just-In-Time) Provisioning
• Single Logout (SLO)
• Signed Requests

For more details on these features, please check at https://help.okta.com/okta_help.htm?type=oie&id=ext_glossary.

Integration Configuration Method

This guide covers only the essential items for Genian NAC and okta integration. After the initial one-time setup, it will be automatically applied.

Step 1: Account Registration for okta Integration

1. Access https://www.okta.com/free-trial/ and apply for a trial account.

   • Select user information and country.

2. Check the authentication confirmation email received at the applied email address.

   • An account information confirmation email with the subject 'Activate your okta account' will be sent to the applied email address.

3. Click the 'Activate okta Account' button in the email to activate the account.

   • Configure initial password change for authentication and 2-factor authentication.
   • okta console access requires OTP 2-factor authentication, and iPhone/Android OTP app installation and OTP registration are needed.
   • If OTP registration and login are complete, SAML App setup for integration will now begin.

Step 2: Add and Configure SAML App for Authentication Integration

General tab (Enter SP information of Genian NAC in okta APP)

1. In the menu, go to Applications > Applications.

2. Search for Genians NAC application in the Browse App Catalog menu.

3. Select the searched NAC app and click Add Integration button to add.

4. Enter the Application label.

5. Select the Sign On tab.

6. In the Base URL input field, enter the NAC Policy Server's URL as in the example below:

   • ex) https://test.genians.net/cwp2

7. Click Settings > Sign on methods > SAML 2.0 > More details button to confirm IdP information.

8. In Genian NAC Web Console > Settings > User Authentication > Authentication Integration > SAML2 Authentication Integration, copy and enter the values for each item from okta:

   • IdP SSO URL - okta's Sign on URL.
   • IdP Entity ID - okta's Issuer.
   • x509 Certificate - Download or copy okta's Signing Certificate and enter.

9. To use JIT provisioning feature, change JIT provisioning to 'On' in NAC.

   • In NAC UI's JIT provisioning > Additional Information, click Add button to set user account name and email.

     • Enter {lastName}{firstName} for name.

     • Enter email for email.

       • SAML Attributes (firstName, lastName, email) items are already predefined in okta.
       • Attributes other than predefined ones can also be added using the Attributes (Optional) menu.

10. To use Single Logout (SLO), set Single Logout (SLO) to 'On' in NAC.

    • In okta's Sign on > Settings, check Enable Single Logout item.

    • Download SP X.509 certificate and upload it to okta's Signature Certificate. SP's certificate is required to use SLO function.

    • In NAC's IdP SLO URL, copy and enter okta's Single Logout URL.

      • If Single Logout URL is not visible on okta screen, please save by clicking Save button with Enable Single Logout setting checked.
      • Return to Sign On tab and confirm Single Logout URL.

11. To use Signed Requests, set Signed Requests to 'On'.

    • For Signed Requests, SAML settings must be done via okta's Applications > Create App Integration to use the function.
    • Download SP X.509 certificate and upload it to okta's Signature Certificate. SP's certificate is required to use Signed Requests function.
    • In okta's SAML Settings, check Signed Requests.

12. In Genian NAC CWP authentication screen, enter the text to display on okta authentication button in Login Button Text.

13. Click Modify button at the bottom of Genian NAC Web Console settings screen.

Note

Ensure you enter the correct value in Base URL field of Sign On tab. Using an incorrect value will prevent authentication to NAC via SAML. ex) https://test.genians.net/cwp2

Step 3: Add and Assign Accounts for okta Authentication Integration

If users are already registered, go to 5.

1. Go to okta console menu Directory > Groups.
2. Click Add Group button in the middle of the screen to create a group.
3. Go to okta console menu Directory > People.
4. Click Add Person button in the middle of the screen to add a user.

Note

For Password item, select whether the administrator specifies the password or the user changes it upon first login.

5. Go to okta console menu Application > Application.
6. Click the triangle icon to the right of the APP registered above and click Assign to Users.
7. In the pop-up window, click the Assign button to the right of the account to be used for authentication integration via the APP to assign it to the APP.

Authentication Integration Test Method

How to Test from okta My Apps Page (IdP-initiated SSO)

1. Access okta My Apps page and click the created NAC SAML App.

How to Use App Embed Link (IdP-initiated SSO)

1. Go to the bottom of okta's General tab screen, where App Embed Link is provided.
2. You can log in to NAC through this link.

How to Test from Genian NAC Web Console (SP-initiated SSO)

1. Access Web Console and click Settings > User Authentication > Authentication Integration > Authentication Test menu, then click Test button.
2. In the pop-up window, select SAML2 for Authentication Information Storage.
3. okta authentication page will be displayed in a new pop-up window, authenticate by entering username and password.
4. If 'Authentication successful.' message is displayed, authentication integration is successful.

How to Test from Genian NAC CWP Page (SP-initiated SSO)

1. Prepare an endpoint (node) assigned Genian NAC node policy password policy.
2. Access Genian NAC CWP page.
3. Click Authenticate button on CWP page.
4. On the authentication screen, click the authentication button configured in Step 2, item 5 above.
5. okta authentication page will be displayed in a new pop-up window, authenticate by entering username and password.
6. If 'Authentication successful.' message is displayed, authentication integration is successful.

How to Test Single Logout (SLO)

1. Enable SLO function.
2. Authenticate using SSO function.
3. Log out using the logout button at the top of the CWP page.
4. If okta account information is prompted when attempting SAML authentication again, SLO is working correctly.

Note

After configuring authentication integration, when applying the policy, you must add the okta IdP domain to the enforcement policy permissions for the authentication integration window to be displayed even in a blocked state.

1. How to add permission
2. Policy > Object > Network
3. Select Action > Create
4. Basic information input
5. Network address > FQDN select > IdP domain input(e.g. genians.okta.com)
6. Create click
7. Go to permission menu
8. Create permission using the created network object
9. Assign created permission to enforcement policy controlling endpoint network