Introduced in version 12.0
Description
SAML stands for "Security Assertion Markup Language." It's a way for different computer systems to securely share information about a user's identity, like their login credentials or other personal information. With SAML, a user can log in to one system and then be automatically logged in to other systems that they have permission to access.
This guide primarily focuses on configuring SAML on the NetBeez dashboard using Okta. However, it is important to understand that other providers can also be used to set up SAML as long as they are compatible with it.
Procedure
Below is the procedure for setting up SAML SSO with Okta on the NetBeez dashboard:
Okta Configuration
1. Log in to Okta.
2. Expand the Applications section in the left-hand navigation. Select Applications.
3. Click Create App Integration button.
4. Click SAML 2.0 radio button. Click Next.
5. Name your application. Click Next.
6. Enter your server's FQDN callback in the Single Sign On URL field (ex: https://dev.netbeezcloud.net/users/auth/saml/callback). Enter audience URI (SP Entity ID). Set the Name ID Format to Unspecified, and Application Username should be set to 'Email'.
7. For the next section, Attribute Statements, you will need to fill in the first name, last name, and email address fields, specifying the name and selecting the value from the dropdown.
Name | Name format | Value |
firstName | Unspecified | user.firstName |
lastName | Unspecified | user.lastName |
Unspecified | user.email | |
uniqueid | Unspecified | user.getInternalProperty("id") |
You will also need to enter a unique Id: user.getInternalProperty("id")
.
8. For the next section, Group Attribute Statements, if you wish to support role mapping, you will need to create three groups within Okta (Admin, Read-Only, Read-Write roles). Using those groups you will need to specify the “groups” attribute in the SAML configuration with a filter to the groups.
groups | Unspecified | Matches regex | (NetBeez Admin|NetBeez Read-Only|NetBeez Read-Write) |
Add “groups” as the name and select “Matches regex” for the filter method then use a regex pattern to filter for your created groups: For example, if we have three groups (NetBeez Admin, NetBeez Read-Only, and NetBeez Read-Write) we would use the below regex pattern.
(NetBeez Admin|NetBeez Read-Only|NetBeez Read-Write)
Ensure groups are assigned to the SSO application in Okta. Enter the value 'groups' for the Name field and 'Matches regex' in the filter dropdown. Click Next.
9. Fill out the feedback step and click Finish.
10. Navigate to the Sign On tab of the application. Click More Details for the information to enter into the NetBeez dashboard.
NetBeez Configuration
1. Log in as an administrator.
2. Click on the cog in the upper right corner to navigate to the settings page.
3. Click on Enterprise Authentication on the left sidebar.
4. Click on the SAML down caret.
5. Toggle the on/off switch On.
Configuration
6. For the configuration:
- Sign on URL in Okta matches the SSO Login URL in NetBeez.
- Entity ID is the value that was filled in during the setup on the Okta Setup > Step 6.
- Click the Download button next to Signing Certificate, copy the contents of that file, and paste it into the certificate field on the NetBeez dashboard.
- The SHA1 value in Okta matches the value for the Certificate Fingerprint field on the NetBeez dashboard.
Attributes
7. On the NetBeez dashboard under the Attributes section, set the Unique Identity Attribute Map value to 'uniqueId'.
Role Mapping
8. Role mapping allows administrators to assign specific groups to users on their provider's side, granting the users corresponding permissions upon login.
Role Mapping On
If role mapping is turned on, the following fields are required:
- Group Name Attribute Map - The name specified in step 8, 'groups'.
- Admin Group ID - In Okta, the name of the group.
- Read-Only Group ID - In Okta, the name of the group.
- Read-Write Group ID - In Okta, the name of the group.
To change a user's permissions with role mapping on, you will need to change the group the user is associated with on your provider.
Role Mapping Off
If role mapping is off, no fields are required in this section. Click the Default Role dropdown and select which permission all new users should receive. After a new user logs in and receives their default role, an administrator can change their permissions on under the Settings > Users tab.
0 Comments