SAML SSO with Okta
Set up SSO for your Ninox server (Private Cloud or On-Premises) using SAML and a third-party app like Okta
Last updated
Set up SSO for your Ninox server (Private Cloud or On-Premises) using SAML and a third-party app like Okta
Last updated
SSO is an Enterprise feature available on request that requires a valid license purchased from Ninox or a certified partner.
We do not require you use Okta to set up a single sign-on with SAML.
However, we chose Okta to demonstrate a potential SAML setup with Ninox. Your setup may vary based on which third-party app you use.
As of Ninox 3.6.9, you can assign roles to people or groups in your SAML integration and then merge existing roles in your Ninox server with the ones set up in a third-party app, like Okta.
Log in to Okta.
Click Applications in the left sidebar and select Applications (1) from the dropdown menu.
Click the Create App Integration (2) button.
In the Create a new app integration pop-up window, select SAML 2.0 (1) as Sign-in method. Click the Next (2) button to proceed.
On the Create SAML Integration page, in the General Settings tab, enter a name in the App name field. In this example it's Ninox SAML
(1).
Click the Next (2) button to proceed.
In the Configure SAML tab, fill in the fields listed below.
Single sign on URL: The URL is a combination of of the protocol https://
, your Ninox server domain name (in this example, it's anastasiya.ninoxdb.de
), and the path /ums/saml/consume
, resulting in something like https://anastasiya.ninoxdb.de/ums/saml/consume
(1). The domain name needs to be replaced with the domain name of your Ninox server.
Audience URI (SP Entity ID): ninox-saml
(2)
Default RelayState: WEB
(3)
Name ID format: EmailAddress
(4)
Application username: Email
(5)
Update application username on: Create and update
(6) (default setting)
Group Attribute Statements (optional): Enter a name, e.g., roles
and set the Name format to Basic
(7). Set the filter to Matches regex and enter .*
(8).
2. For a preview of the SAML configuration, click the Preview the SAML assertion (1) button.
3. A new browser tab opens and shows a preview similar to the one below.
Remember the audience ninox-saml
(1) and the attribute name roles
(2)—we'll need these again in your Ninox server setup.
4. Click the Next (1) button to proceed.
In the Feedback tab, respond to Are you a customer or partner? by selecting I’m an Okta customer adding an internal app (1).
Tick the box This is an internal app that we have created (2).
Click the Finish (3) button to confirm.
Make sure people have access to Ninox, either as members (paid by the owner) or as contributors (paid by themselves). If users cannot log in to Ninox, they won't be able to log in to your Ninox server using SSO.
Follow the steps below to either assign individual users or whole groups to your SAML integration.
On the new application page, click the Assignments (1) tab.
Click the Assign dropdown button, then select Assign to People (2).
3. A pop-up window opens. Select a user from the list to individually assign them to your app, then click Assign (1).
4. In a new new pop-up window, click the Save and Go Back (1) button to return to the previous view.
5. In the previous pop-up window, the label Assigned (1) appears next to the selected user. Click the Done (2) button to close the pop-up.
Back on the application page, click the Assign dropdown button, then select Assign to Groups (1).
2. A pop-up window opens. Select a group from the list to individually assign it to your app, then click Assign (1).
3. The label Assigned (1) appears next to the selected group. Click the Done (2) button to return to the previous view.
On the new application page, in the Sign On tab, click the View SAML setup instructions (1) button.
A new browser tab opens to show SAML setup instructions.
Copy the Identity Provider Single Sign-On URL (1). This value corresponds to the following field in your Ninox server setup: Single Sign on URL (SSO URL). Refer to https://docs.ninox.com/en/private-cloud-on-premises/single-sign-on-sso/saml-single-sign-on-with-okta#step-2-transfer-saml-credentials
Copy the Identity Provider Issuer (2). This value corresponds to the following field in your Ninox server setup: Issuer. Refer to https://docs.ninox.com/en/private-cloud-on-premises/single-sign-on-sso/saml-single-sign-on-with-okta#step-2-transfer-saml-credentials
3. Click the Download certificate (1) button. A file named okta.cert
is saved to your computer. This file corresponds to the following button in your Ninox server setup: IDP Certificate.
Log in to your Ninox Private Cloud or Ninox On-Premises as root
user. In the example below we use a Private Cloud (1).
Click the gear icon (2) in the top-right corner to access the global settings.
From the dropdown menu, select Server Administration (3).
4. A new page opens. Click the Configuration (1) tab.
To automatically add users to a specific workspace (team), copy its team ID
(1). In this example we use the same Private Cloud as mentioned in the steps above.
On the Server Configuration page, scroll down to Authentication Strategy, then select the SAML V2 (1) tab. Fill in the fields listed below and upload the certificate file from Okta.
Single Sign on URL (SSO URL): copy-paste the Identity Provider Single Sign-on URL, in this example https://dev-78357175.okta.com/app/dev-78357175_ninoxsaml_1/exk5s7f2zbbh9HGTh5d7/sso/saml
(2)
Issuer: copy-paste the Identity Provider Issuer, in this example http://www.okta.com/exk5s7f2zbbh9HGTh5d7
(3)
IDP Certificate: upload the .cert
file (4)
Audience (5): ninox-saml
(5)
Session Duration (in days): 2
(6)
Auto Assign To Team: copy-paste the team ID
, in this example p75h1me5ngr0grptq
(7)
Property name of group attributes in SAML assertion: copy-paste the attribute name
, in this exampleroles
(8)
Roles To Be Excluded For Mapping: optional, in this example Everyone
(9)
Role mapping strategy: select Merge SAML and Ninox roles (10)
Click the Setup SAML and Restart button (11) to confirm.
If the configuration was successful, the login with SSO will look similar to the one shown in the GIF below. In this example we use the same Private Cloud as above.