Okta (SAML2.0)

This guide details authentication between Genian NAC (Service Provider), and Okta (Identity Provider).

This enables user authentication through Okta without having to manage users in Genian NAC.

SSO is achieved by invoking Okta authentication using the SAML2.0 protocol on the Genian NAC CWP page and checking Okta for user authentication.

Integration Settings

The following steps provide only a basic integration, which will be automatically applied after the first setup.

Step 1: Register an Okta account (If needed)

  1. Go to https://www.Okta.com/free-trial/ and apply for a trial account.

    Select your information and country and enter the domain you want to use for authentication.

  2. Check the authentication mail received at the email address you requested.

    An account information confirmation mail will be sent to the requested email address under the title 'Your New Okta account'.

  3. Connect to the 'Sign-in-here' URL in your mail and log in.

    When you log in, you will see a screen that sets the initial password change, security image, and security questions.

  4. Add OTP for Okta Admin console connections.

    Okta console connection requires OTP 2factor authentication and requires iPhone, Android OTP app installation and OTP registration.

    Once you have completed OTP registration and login, SAML APP setup for interworking will now begin.

Step 2: Add and set up SAML APP for authentication integration

General section (enter SP information for Genian NAC in Okta APP)

  1. In the menu, navigate to Applications > Applications.
  2. Click the blue Add Application button among the buttons on the screen.
  3. Click the blue Create New App button among the buttons on the screen.
  4. In the pop-up screen, select Platform = Web, Sign on method = SAML 2.0 and click the Create button.
  5. Type the name and logo of the APP to be used for integration with NAC and click the Next button.
  6. In the Single sign on URL entry, enter a value for the Genian NAC Web Console > Preferences > User Authentication > Authentication Integration > SAML2 > SP ACS URL.
  7. In the Audience URI (SP Entity ID) entry, enter a value for the Genian NAC Web Console > Preferences > User Authentication > Authentication Integration > SAML2 > SP Entity ID and click the Next button.
  8. In the Feedback section, the Are you a customer or partner? item checks i'm an Okta customer adding an internal app.
  9. Check the This is an internal app that we have created item below and click the Finish button.

Sign On section (enter IDP information in Genian NAC)

  1. Click the View Setup Instructions button in the middle of the screen to view IdP information.
  2. No.1) Enter the URL value for Identity Provider Single Sign-On URL: in Genian NAC Web Console > Preferences > User Authentication > Authentication Integration > SAML2 > IdP SSO URL.
  3. No.2) Enter the URL value of the Identity Provider Issuer: in Genian NAC Web Console > Preferences > User Authentication > Authentication Integration > SAML2 > IdP Entity ID.
  4. No.3) Drag all values of X.509 Certificate: to enter the Genian NAC Web Console > Preferences > User Authentication > Authentication Integration > SAML2 > x509 Certificate.
  5. On the Genian NAC CWP authentication screen, type the phrase to display on the Okta authentication button Web Console > Preferences > User Authentication > Authentication Integration > SAML2 > Sign in Button text.
  6. Click the Update button at the bottom of the Genian NAC Web Console Settings screen.

Step 3: Adding and assigning accounts for Okta Authentication Integration

If you are already registered, go to number 5

  1. Go to the Okta Console screen menu Directory > Groups.

  2. Click the Add Group button in the middle of the screen to create a group.

  3. Go to the Okta Console Screen Menu Directory > People

  4. Click the Add Person button in the middle of the screen to add users.

    Note

    The Password entry selects whether the administrator should specify a password to create or change it at the user's initial login.

  5. Go to the Okta Console screen menu Application > Application.

  6. Click the triangle icon on the right side of the APP that you registered above and click Assign to User

  7. On the pop-up screen, click the Assign button on the right side of the account to be used for authentication integration through the APP to assign it to the APP.

Authentication Integration Test

How to test on Genian NAC Web Console

  1. Connect to the Web Console and click the Test button in the topic Preferences > User Authentication > Authentication Integration > Authentication Test.
  2. In the pop-up window, select SAML2 for the repository.
  3. A new pop-up window displays the Okta authentication page and authenticates by entering your username and password.
  4. On the authentication screen, click the login button.

How to test on the Genian NAC CWP page

  1. Prepare the device (node) to which the Genian NAC Node Policy is assigned the Authentication Method password policy.
  2. Access the Genian NAC CWP page.
  3. Click the Login button on the CWP page.
  4. On the authentication screen, click the login button.
  5. A new pop-up window displays the Okta authentication page and authenticates by entering your username and password.
  6. If the message 'Authentication succeeded' is displayed, the authentication link has been successful.

Note

After setting up the authentication link, you must add the OKTA IdP domain to the enforcement policy permissions to display the authentication link window even in the blocked state.

1. To add permissions
2. Go to Policy > Object > Network
3. Click Task > Create
4. Enter general information
5. Condition > FQDN > Enter IdP Domain (e.g. genians.okta.com)
6. Click Create
7. Go to Permission
8. Create permissions using network objects that you create
9. Assign permissions that you create in a enforcement policy