Comment on page
SAML SSO with Okta
Set up SSO for your Ninox server (Private Cloud or On-Premises) using SAML and a third-party app like Okta
However, we chose Okta to demonstrate a potential SAML setup with Ninox. Your setup may vary based on which third-party app you use.
As of Ninox 3.6.9, you can assign roles to people or groups in your SAML integration and then merge existing roles in your Ninox server with the ones set up in a third-party app, like Okta.
In the Create a new app integration pop-up window, select SAML 2.0 (1) as Sign-in method. Click the Next (2) button to proceed.
- 1.On the Create SAML Integration page, in the General Settings tab, enter a name in the App name field. In this example it's
- 2.Click the Next (2) button to proceed.
In the Configure SAML tab, fill in the fields listed below.
- 1.Single sign on URL: The URL is a combination of of the protocol
https://, your Ninox server domain name (in this example, it's
anastasiya.ninoxdb.de), and the path
/ums/saml/consume, resulting in something like
https://anastasiya.ninoxdb.de/ums/saml/consume(1). The domain name needs to be replaced with the domain name of your Ninox server.
- 2.Audience URI (SP Entity ID):
- 3.Default RelayState:
- 4.Name ID format:
- 5.Application username:
- 6.Update application username on:
Create and update(6) (default setting)
- 7.Group Attribute Statements (optional): Enter a name, e.g.,
rolesand set the Name format to
Basic(7). Set the filter to Matches regex and enter
2. For a preview of the SAML configuration, click the Preview the SAML assertion (1) button.
3. A new browser tab opens and shows a preview similar to the one below.
Remember the audience
ninox-saml(1) and the attribute name
roles(2)—we'll need these again in your Ninox server setup.
4. Click the Next (1) button to proceed.
- 1.In the Feedback tab, respond to Are you a customer or partner? by selecting I’m an Okta customer adding an internal app (1).
- 2.Tick the box This is an internal app that we have created (2).
- 3.Click the Finish (3) button to confirm.
Make sure people have access to Ninox, either as members (paid by the owner) or as contributors (paid by themselves). If users cannot log in to Ninox, they won't be able to log in to your Ninox server using SSO.
Follow the steps below to either assign individual users or whole groups to your SAML integration.
- 1.On the new application page, click the Assignments (1) tab.
- 2.Click the Assign dropdown button, then select Assign to People (2).
3. A pop-up window opens. Select a user from the list to individually assign them to your app, then click Assign (1).
4. In a new new pop-up window, click the Save and Go Back (1) button to return to the previous view.
5. In the previous pop-up window, the label Assigned (1) appears next to the selected user. Click the Done (2) button to close the pop-up.
- 1.Back on the application page, click the Assign dropdown button, then select Assign to Groups (1).
2. A pop-up window opens. Select a group from the list to individually assign it to your app, then click Assign (1).
3. The label Assigned (1) appears next to the selected group. Click the Done (2) button to return to the previous view.
- 1.On the new application page, in the Sign On tab, click the View SAML setup instructions (1) button.
- 2.A new browser tab opens to show SAML setup instructions.
- 1.Copy the Identity Provider Single Sign-On URL (1). This value corresponds to the following field in your Ninox server setup: Single Sign on URL (SSO URL). Refer to https://docs.ninox.com/en/private-cloud-on-premises/single-sign-on-sso/saml-single-sign-on-with-okta#step-2-transfer-saml-credentials
- 2.Copy the Identity Provider Issuer (2). This value corresponds to the following field in your Ninox server setup: Issuer. Refer to https://docs.ninox.com/en/private-cloud-on-premises/single-sign-on-sso/saml-single-sign-on-with-okta#step-2-transfer-saml-credentials
3. Click the Download certificate (1) button. A file named
okta.certis saved to your computer. This file corresponds to the following button in your Ninox server setup: IDP Certificate.
- 1.Log in to your Ninox Private Cloud or Ninox On-Premises as
rootuser. In the example below we use a Private Cloud (1).
- 2.Click the gear icon (2) in the top-right corner to access the global settings.
- 3.From the dropdown menu, select Server Administration (3).
4. A new page opens. Click the Configuration (1) tab.
To automatically add users to a specific workspace (team), copy its
team ID(1). In this example we use the same Private Cloud as mentioned in the steps above.
- 1.On the Server Configuration page, scroll down to Authentication Strategy, then select the SAML V2 (1) tab. Fill in the fields listed below and upload the certificate file from Okta.
- 1.Single Sign on URL (SSO URL): copy-paste the Identity Provider Single Sign-on URL, in this example
- 2.Issuer: copy-paste the Identity Provider Issuer, in this example
- 3.IDP Certificate: upload the
- 4.Audience (5):
- 5.Session Duration (in days):
- 6.Auto Assign To Team: copy-paste the
team ID, in this example
- 7.Property name of group attributes in SAML assertion: copy-paste the
attribute name, in this example
- 8.Roles To Be Excluded For Mapping: optional, in this example
- 9.Role mapping strategy: select Merge SAML and Ninox roles (10)
- 10.Click the Setup SAML and Restart button (11) to confirm.
If the configuration was successful, the login with SSO will look similar to the one shown in the GIF below. In this example we use the same Private Cloud as above.