Integrate with Okta

Overview

Integrating Okta Single Sign-On (SSO) is a quick and easy process. There are only two pieces of information we are going to copy and paste from one system to the other.

  • The Frame SAML2 Integration Name. This is a name you pick when you create the SAML authentication integration. The name should be something no one else has used across the platform. It should have only letters, numbers, and the dash symbol; no spaces or punctuation are allowed. It is also case-sensitive in that you will need to use this name exactly as it appears in later steps in this guide; upper and lower case matter.

Note

The SAML2 integration name you choose will be displayed on the SSO login button used by anyone attempting to log in to the platform.

  • The Okta Federation Metadata Document URL. This is a URL where Okta keeps the SAML2 Metadata for your account.

Following the steps below, you can find these values and copy them from Okta to Frame and from Frame to Okta. This process should take less than fifteen minutes.

Configure Okta

  1. First, log into your Okta account as an Admin and open the Dashboard. Select “Add Applications”
../../_images/image13.png
  1. Select “Create New App”
../../_images/image24.png
  1. Choose “SAML 2.0”
../../_images/d33dcb5-saml2.png
  1. Provide a name and icon. You can use the icon below or one of your own. Click “Next.”
../../_images/image231.png ../../_images/482da4f-frame_logo.png
  1. You will be taken to the “SAML2 Settings” page.
../../_images/samlblank.png
  1. Fill in the Single Sign-on URL which will be in the following format:
https://img.frame.nutanix.com/saml2/done/[SAML2_INTEGRATION_NAME]/

Warning

The forward slash at the end of the URL is required for the integration to work correctly.

We’ll enter a DNS-compliant string into the “Audience URI” field. For this example, we will use frame-docs. This string will be entered on the Frame side as our “Application ID.”

../../_images/SSOurl.png
  1. Select “Show Advanced Settings” in the bottom right corner.
../../_images/samlsettings2.png
  1. Change “Response” to “Unsigned”. Leave default values for the rest. Scroll down.
../../_images/samlsettingsadv1.png
  1. Add three “Attribute Statements.” They must be exactly as shown here, including capitalization. Click “Next”
../../_images/02586b7-SAML_attributes.png

10. Hover over the Identity Provider Metadata link. You should see something similar (but not identical) to the example. Copy that link and save it for the next portion of the setup.

../../_images/samlurl.png

11. Authorize any groups or users you want to allow to use the Frame App in whichever way you normally manage app permissions in Okta. You can reference the Okta documentation if needed.

The Okta side of the setup is now complete.

Create the SAML2 Authentication Integration Provider in Frame

  1. A SAML2 authentication integration can be configured at any level (depending on administrative access) by navigating to the Admin page and clicking on the ellipsis listed next to the desired entity name. Select “Edit” from the menu that appears.
../../_images/authnav1.png
  1. Navigate to the “Security” tab and enable the “SAML2” toggle under “Authentication.”
../../_images/authnav2.png
  1. Once the setting is saved, the “SAML2 Providers” tab will appear. Navigate to this tab and then click “Add Provider.”
../../_images/image99.png
  1. A new window will appear prompting you to enter some of the information you obtained earlier.

    ../../_images/image101.png
  • Application ID: The Application ID identifies a partner across federation interactions and can be set to any DNS-compliant string.
  • Auth provider metadata: Check the “URL” option for this field and paste the Identity Provider Metadata URL (reference step 10 above) into the “Auth provider metadata URL” field.
  • Name: Enter your unique SAML2 Integration name here. The name should have only letters, numbers, and the dash symbol; no spaces or punctuation are allowed. It is also case-sensitive. We’ll use the SAML2 integration name docs-auth-okta for this example. Please do not use this name for your own integration.
  • Authentication token expiration: Set the desired expiration time for the authentication token. This can range from 5 minutes to 7 days.
  • Signed response: Leave this toggle disabled. If you wish to use Signed SAML2 Responses, please contact Frame Support or your Account Manager for further instructions.
  • Signed assertion: Enable this toggle.
  1. Click “Add.”

Configure SAML2 Permissions

Once the IdP is successfully configured on Frame, administrators will need to configure the authorization rules for the account from the “SAML2 Permissions” tab listed to the right of the current tab. Read more about user roles and permissions on our “User Permissions” section.

../../_images/saml2permissions.png

Using Okta as a SAML2 Authentication Integration

Your new SAML2 auth integration will appear as button on your Xi Frame login page. The URL for navigating to your Xi Frame login page will vary depending on which level the SAML2 integration was configured.

Customer level:

https://frame.nutanix.com/[customer_URL]/

Organizational level:

https://frame.nutanix.com/[customer_URL]/[organization_URL]/

Account level:

https://frame.nutanix.com/[customer_URL]/[organization_URL]/[account_URL]/
../../_images/finalokta.png