Okta

Okta provides a flexible yet simple Identity Provider solution that integrates easily with the Frame platform. Following the steps below, you simply need to locate, copy, and paste certain values between platforms. This process should take less than fifteen minutes. Refer to Okta documentation for additional information on how to configure Okta.

Attention

Please be aware that while Okta does have a pre-built Nutanix Frame app, this app does not yet support group attributes. In order to use group attributes, you must configure the application manually as described below.

Getting Started

To begin, let's create a URL-friendly SAML2 Integration Name that we'll use in a few places throughout our setup. Continue below for help and examples that you can use in your SAML integration.

Integration Name examples for Okta

Your SAML2 Integration Name is a case-sensitive, URL-friendly, unique, and descriptive value that represents the integration between your Okta and Frame. This value can have only letters, numbers, and the dash symbol; no spaces or punctuation are allowed.

We recommend using something that includes descriptive information, such as your company and identity provider's names. This integration name is tied to your SAML2 endpoints on Frame and using descriptive names can be useful for debugging.

Optionally, fill out the information below to get a recommendation of what you could use.

1. Enter your company name:

2. Customize your IdP Name:

3. Pick a style:
Bobs-Burgers-Frame-Oktagreat
bobs-burgers-frame-okta
Bobs-Burgers-Oktagood
bobs-burgers-okta
BobsBurgersOkta
Bobs-Burgersnot very descriptive

4. Copy values

Integration Name:

Bobs-Burgers-Frame-Okta

Copy your Single sign on URL:

https://img.console.nutanix.com/saml2/done/Bobs-Burgers-Frame-Okta/

Using the values copied from above and following the steps below, we'll create and gather these details to configure proper communication between Okta and Frame.

1. From the Nutanix Console, navigate to your desired entity where you wish to set up your Okta integration (Customer/Organization/Account).

2. Click on the ellipsis listed next to the entity name and select Users.

   

3. Navigate to the Authentication. Enable the SAML2 toggle and click Save in the upper right corner.

   

4. More options will appear next to the “Authentication” tab, click on the “SAML2 Providers” tab.

5. Click Add SAML2 Provider.

   

6. Let's keep this browser tab open. We'll return back to it after a few steps in Okta's Dashboard.

Add an Application to Otka

7. In a separate/new tab, log in to your Okta account as an Admin and open the Dashboard. Select Add Applications.

   

8. Click Create New App in the top-right corner of the page.

   

9. Set the following two fields:

   

   • Platform: Choose Web.
   • Sign on method: Choose SAML 2.

   Click Create.

10. Provide an app name and icon. We've provided a Frame icon below for convenience:

    

    

11. You will be taken to the SAML Settings page.

    

    Next, it's time to paste our Single sign on URL from the Getting Started section of this page.

    Caution

    The forward slash at the end of the URL is required for the integration to work correctly.

12. Next, we'll enter a DNS-compliant string into the “Audience URI” field. For this example, we will use okta-frame-test. This customer-defined string will be entered on the Frame side as our Application ID later on. You must use our own unique Audience URI for your own integration. Enter the following URL into the Default RelayState field as well: https://frame.nutanix.com

    

13. Use the drop-down menus to match the settings displayed below. Select Show Advanced Settings in the bottom right corner.

    

14. Change Response to Unsigned. Leave default values for the rest. Scroll down.

    

15. Add three Attribute Statements. They must be exactly as shown here, including capitalization. Additionally, you can add “Group Attribute Statements” if you wish. We go into detail for passing group attributes/claims in later steps.

    

16. Click Next and fill out the feedback page as desired.

    

    Click Finish.

17. You will automatically be taken to the Sign On page/tab where we'll obtain the final piece of information. Scroll down to the bottom box under the Sign On Methods section and right-click on the blue Identity Provider metadata link. Copy the link URL and save it somewhere to reference in later steps.

    

    The Okta side of the setup is now complete. Next, we'll configure the Frame side of the integration using the the values we've copied from these steps in the Okta Dashboard.

Tying it all together

18. Navigate back to your Frame tab and enter the following data into our Add a SAML2 Identity Provider form:

    

    • Application ID: The Application ID identifies a partner across federation interactions and can be set to any DNS-compliant string. In this example, we used okta-frame-test. You must use your own unique Application ID for your own integration.
    • Auth provider metadata: Check the “URL” option and paste the Identity Provider metadata URL (reference step 18 above) into the “Auth provider metadata” field as shown above.
    • Integration Name: Enter your unique SAML2 integration name here from the Getting Started section at the top of the page.
    • Custom Label: When specified, this value will be used in the login page as Sign in with <Custom Label>.
    • Authentication token expiration: Set the desired expiration time for the authentication token. This can range from 5 minutes to 7 days.
    • Signed response: Leave this toggle disabled. If you wish to use Signed SAML2 Responses, please contact Frame Support or your Account Manager for further instructions.
    • Signed assertion: Enable this toggle.

    Click Add.

You have successfully created your Okta integration with the Frame platform! Move on to the next section for configuring roles and permissions for your users, as well as information for passing Group attributes to Frame.

Configuring Permissions

Once the IdP is successfully configured on Frame, administrators will need to configure the authorization rules for the account from the “SAML2 Permissions” tab listed to the right of the SAML2 Provider tab. To learn more about Frame user roles and how to configure SAML2 permissions, go to “Roles” and “Specifying Permissions for SAML2 Users” sections, respectively, under “Manage User Permissions.”

Passing Group Attributes

You can authorize any groups of users you want to allow to use the Frame platform based on the user-group assignments you have configured in Okta. We recommend following the guidance of Okta's support team provided in this link regarding group attribute statements with custom SAML applications.

Groups attribute and the associated set of Okta groups to insert in the SAML2 Response can be defined in Okta. In this example, enter groups for the group name attribute and define the group name inclusion filter.

Here's an example of a list of groups in Okta:

Assuming that one of the Okta groups that is passed to Frame is Okta-Contractors, the Frame administrator would specify a SAML2 permission where any user's SAML2 response contains a value of Okta-contractors in the groups SAML2 attribute will be granted Account Administrator role on Frame account Contractor Account.

Signing into Frame with Okta

Your new SAML2 auth integration will appear as button on your Frame login page. The URL for navigating to your Frame login page will vary depending on which level the SAML2 integration was configured. See our section about Entities and URLs to help pick the right one for you and your end-users and/or staff.

When landing on a URL configured for your Okta SAML2 Integration, your end-users should see an option like this: