Integrate with Okta

Overview

Okta provides a flexible yet simple Identity Provider solution that integrates easily with the Xi Frame platform. Following the steps below, you simply need to locate, copy, and paste certain values between platforms. This process should take less than fifteen minutes.

Attention

Please be aware that while Okta does have a pre-built Nutanix Frame app, this app does not yet support group attributes. In order to use group attributes, you must configure the application manually as described below.

Xi Frame Preparation

  1. From the Admin view, navigate to the desired entity where you wish to set up your Okta integration.
  2. Click on the ellipsis listed next to the entity name and select “Users.”
../../_images/oktar_1a.png
  1. Navigate to the “Authentication” tab. Enable the “SAML2” toggle and click “Save” in the upper right corner.
../../_images/oktar_1b.png
  1. More options will appear next to the “Authentication” tab, click on the “SAML2 Providers” tab.
  2. Click “Add SAML2 Provider.” Leave this browser tab open.
../../_images/oktar_1c.png

Configure Okta

  1. In a separate tab, log in to your Okta account as an Admin and open the Dashboard. Select “Add Applications.”
../../_images/oktam_1.png
  1. Click “Create New App” in the upper right corner.
../../_images/oktam_2.png
  1. Choose “SAML 2.0” under the “Web” platform option.
../../_images/oktam_3.png
  1. Provide an app name and app icon. You can use the icon below or one of your own. Click “Next.”
../../_images/oktam_4.png ../../_images/frame_logo.png
  1. You will be taken to the “SAML Settings” page.
../../_images/oktam_5.png
  1. Decide on a SAML2 integration name. The SAML2 integration name you choose will be displayed on the SSO login button used by anyone attempting to log in to the Frame platform. Once you have decided on a name, fill in the Single Sign-on URL which will be in the following format:
https://img.frame.nutanix.com/saml2/done/[SAML2_INTEGRATION_NAME]/

Warning

The forward slash at the end of the URL is required for the integration to work correctly.

  1. Next, we’ll enter a DNS-compliant string into the “Audience URI” field. For this example, we will use okta-frame-test. This customer-defined string will be entered on the Frame side as our “Application ID” later on. You must use our own unique Audience URI for your own integration. Enter the following URL into the “Default RelayState” field as well: https://frame.nutanix.com
../../_images/oktam_6.png
  1. Use the drop-down menus to match the settings displayed below. Select “Show Advanced Settings” in the bottom right corner.
../../_images/oktam_7.png
  1. Change “Response” to “Unsigned”. Leave default values for the rest. Scroll down.
../../_images/oktam_8.png
  1. Add three “Attribute Statements.” They must be exactly as shown here, including capitalization. Optionally, you can add “Group Attribute Statements” if you wish. We will discuss how you can use group attributes with Frame in later steps.
../../_images/oktam_9.png
  1. Click “Next” and fill out the feedback page as desired.
../../_images/okta_feedback.png
  1. Click “Finish.”
  1. You will automatically be taken to the “Sign On” page where we’ll obtain the final piece of information. Scroll down to the bottom box under “Sign On Methods” and right-click on the blue “Identity Provider metadata” link. Copy the link URL and save it somewhere to reference in later steps.
../../_images/oktam_9b.png

The Okta side of the setup is now complete. Next, we’ll configure the Frame side of the integration.

Frame Setup

  1. Navigate back to your Xi Frame tab and enter the following data:

    ../../_images/okta_10.png
  • Application ID: The Application ID identifies a partner across federation interactions and can be set to any DNS-compliant string. In this example, we used okta-frame-test. You must use your own unique Application ID for your own integration.
  • Auth provider metadata: Check the “URL” option and paste the Identity Provider metadata URL (reference step 18 above) into the “Auth provider metadata” field as shown above.
  • Name: Enter your unique SAML2 Integration name here. The name should have only letters, numbers, and the dash symbol; no spaces or punctuation are allowed. It is also case-sensitive. We’ll use the SAML2 integration name your-unique-name for this example. Please do not use this name for your own integration.
  • Authentication token expiration: Set the desired expiration time for the authentication token. This can range from 5 minutes to 7 days.
  • Signed response: Leave this toggle disabled. If you wish to use Signed SAML2 Responses, please contact Frame Support or your Account Manager for further instructions.
  • Signed assertion: Enable this toggle.
  1. Click “Add.”

You have successfully created your Okta integration with the Xi Frame platform! Move on to the next section for configuration information.

Configure SAML2 Permissions

Once you have connected the IdP to Xi Frame, administrators will need to configure the authorization rules for the account from the “SAML2 Permissions” tab listed under the “Security” tab of the Settings page. Use the link to read more about User Permissions.

../../_images/saml2permissions.png

You can also authorize any groups or users you want to allow to use the Xi Frame platform in whichever way you normally manage assignments in Okta. We recommend following the guidance of Okta’s support team provided in this link regarding group attribute statements with custom SAML applications. Reference Okta documentation for additional information.

Using Okta as a SAML2 Authentication Integration

Your new SAML2 auth integration will appear as button on your Xi Frame login page. The URL for navigating to your Xi Frame login page will vary depending on which level the SAML2 integration was configured.

Customer level:

https://frame.nutanix.com/[customer_URL]/

Organizational level:

https://frame.nutanix.com/[customer_URL]/[organization_URL]/

Account level:

https://frame.nutanix.com/[customer_URL]/[organization_URL]/[account_URL]/
../../_images/finalokta.png