Search…
⌃K
Links

OIDC SSO with Okta

Set up SSO for your Ninox server (Private Cloud or On-Premises) using OIDC and a third-party app like Okta
SSO is an Enterprise feature available on request that requires a valid license purchased from Ninox or a certified partner.
However, we chose Okta to demonstrate a potential OIDC setup with Ninox. Your setup may vary based on which third-party app you use.

Create a new OIDC integration

Step 1: Log in and create app integration

  1. 1.
    Log in to Okta.
  2. 2.
    Click Applications in the left sidebar and select Applications (1) from the dropdown menu.
  3. 3.
    Click the Create App Integration (2) button.

Step 2: Set up sign-up method

  1. 1.
    In the Create a new app integration pop-up window, select OIDC - OpenID Connect (1) as Sign-in method and Web Application (2) as Application type.
  2. 2.
    Click the Next (3) button to proceed.

Step 3: Configure OIDC integration

  1. 1.
    On the New Web App Integration page, in the General Settings section, fill in the fields listed below. (1) App integration name: enter a name. In this example it's anastasiya oidc test. (2) Sign-in redirect URIs: The URI is a combination of the protocol https://, your Ninox server domain name (in this example it's anastasiya.ninoxdb.de), and the path /ums/oidc/callback, resulting in something like https://anastasiya.ninoxdb.de/ums/oidc/callback. The domain name needs to be replaced with the domain name of your Ninox server. (3) Sign-out redirect URIs: The URI is the domain name of your Ninox server. In this example it's https://anastasiya.ninoxdb.de.
  2. 2.
    Select the Skip group assignment for now (4) radio button for Controlled access in the Assignments section.
  3. 3.
    Click the Save (5) button to confirm. A new page opens and a success message appears at the top of the page.

Assign users to OIDC integration

Make sure people have access to Ninox, either as members (paid by the owner) or as contributors (paid by themselves). If users cannot log in to Ninox, they won't be able to log in to your Ninox server using SSO.
Follow the steps below to either assign individual users or whole groups to your OIDC integration.
  1. 1.
    On the new application page, click the Assignments (1) tab.
  2. 2.
    Click the Assign (2) dropdown button and choose between Assign to People (3) and Assign to Groups.

Assign to people

  1. 1.
    In the pop-up window, select a user from the list to individually assign the user to your app and click Assign.
  2. 2.
    Enter the desired information in the pop-up window.
  3. 3.
    Click the Save and Go Back button to confirm.
  4. 4.
    Click the Done button to close the pop-up window.

Assign to groups

  1. 1.
    In the pop-up window, select Everyone and click Assign.
  2. 2.
    Click the Done button to close the pop-up window.

Retrieve OIDC credentials from Okta

Step 1: Copy from the General tab

  1. 1.
    On the new application page, click the General (1) tab.
  2. 2.
    Under Client Credentials, copy the Client ID (2) and Client secret (3).

Step 2: Copy from the Sign On tab

  1. 1.
    Click the Sign On (1) tab.
  2. 2.
    Under OpenID Connect ID Token, copy the Issuer (2) and Audience (3).

Finish OIDC setup in your Ninox server setup (Private Cloud or On-Premises)

  1. 1.
    Log in to your Ninox Private Cloud or Ninox On-Premises.
  2. 2.
    Click the gear icon in the top-right corner.
  3. 3.
    Select Server Administration from the dropdown menu. A new page opens.
  4. 4.
    Click the Configuration tab.
  5. 5.
    On the Server Configuration page, under Authentication Strategy, click the Open Id tab. Fill in the fields listed below, then click the Save and Restart (8) button. (1) Discovery Url: The URI is a combination of the protocol https://, your Ninox server domain name (in this example it's anastasiya.ninoxdb.de), and the path /.well-known/openid-configuration, resulting in something like https://anastasiya.ninoxdb.de/.well-known/openid-configuration. (2) Client Id: paste from Okta, refer to Retrieving OIDC credentials from Okta (3) Client Secret: paste from Okta, refer to Retrieving OIDC credentials from Okta (4) Redirect Uris (Comma separated): The URI is your Ninox server domain. In this example it's https://anastasiya.ninoxdb.de. (5) Scopes: email, openid (6) Session Duration (in days): 2 (7) AutoProvision Users: enable
  6. 6.
    Click the Save and Restart (8) button to confirm.