Okta is a popular choice for identity management in the cloud these days, which is why we wanted to integrate its capabilities with the Nuxeo Platform. Configuring the Nuxeo Platform to use Okta for both authentication and user provisioning is extremely easy!
The Nuxeo Platform supports integration with any SAML 2.0 Identity Provider and it has been successfully tested so far with Okta, OneLogin, Ping One, SSOCircle, Google, OIF and ADFS. In this blog, I will focus on Okta and show you how quick and easy it is to configure it with the help of Nuxeo Studio and set up this integration.
The Use Case
Let’s say that your organization is already using Okta as an identity provider and you have decided to implement the Nuxeo Platform as your organization's global Digital Asset Management (DAM) solution and need to configure the user authentication in the Nuxeo Platform with Okta.
You have basic knowledge of Nuxeo Platform and have used Nuxeo Studio to add some cool features to your new DAM project.
I’ll start from scratch. As I want this process to be fast, I will just deploy a Nuxeo LTS 2016 Docker container (8.10) in my existing OpenShift cluster and make it reachable at http://example-nuxeo-test-okta-integration.apps.io.nuxeo.com/ (Note that this is just a demo URL and won't be available later). Of course, it doesn't matter where and how you deploy the Nuxeo Platform (I just love containers). The steps to be implemented on the Nuxeo side for configuring Okta will always be the same. Actually, you can follow the same steps to integrate the Nuxeo Platform with any SAML 2.0 Identity provider.
If you don't have a running Nuxeo Server, you can just start a container locally to follow the next steps using:
$ docker run -p 8080:8080 nuxeo:8.10
The first step in configuring the Nuxeo Platform to support SAML based Single Sign-On from Okta is to set up a new application in Okta. There is a tutorial with detailed steps in the Okta documentation that you can follow. Here is a short version of that tutorial:
- You should already have an Okta organization. If you don't, then create a new one.
Create a New Application from Admin/Applications (I called mine Nuxeo Okta Integration) and choose SAML 2.0 as the Sign in method.
In the SAML settings, you must set the "Single sign on URL/IdP" and the "Audience URI (SP Entity ID)" to:
- http://$NUXEO_URL/nuxeo/nxstartup.faces if you have the JSF UI (or both UIs)
- http://$NUXEO_URL/nuxeo/ui if you are using the web UI alone
In my case, this is what I have:
Also, I have mapped the 'lastName', 'firstName' and 'email' properties from the Okta user profile to be passed to the Nuxeo Platform when authenticating.
Configure any additional info you might need (Okta will ask you for some feedback) and you then are (almost) done.
After the application is created, make sure you retrieve your Identity Provider Metadata for this application as you are going to use this on the Nuxeo side. Just navigate to the Sign on tab in your Okta application and copy the link location. (It's under the View Setup instructions as shown in the image below).
In case you are wondering how the users are managed in Okta, keep following the steps below. If not, then just jump to Nuxeo Configuration as you can add users later!
Configure users in your Okta organization.
If we are not starting from scratch with Okta you might already have users configured in your organization (maybe even through a directory integration). If that’s not the case and you don’t have any users, then let’s add our old friend - "John Doe". There are many options to import users in Okta, but we will just add one user manually for this example.
Users in an Okta domain/organization are global and can be assigned to any of the Okta applications within the organization. To add a new one, go to Directory/People and Add Person:
Make sure you use the email address as username (to simplify things) and choose to send an activation email now if you think John is going to check his email now :) Also, I made sure John Doe has set up the multi factor authentication, so you should do the same!
Assign Okta users from your organization to your newly created Okta application.
Now that John Doe is in the system, we have to assign him to our newly created application. Go back to your applications, select your application or Nuxeo Okta Application and Assignments/Assign/Assign to People:
Now let’s configure the Nuxeo Platform to use our brand new Okta application for authentication.
Install SAML2-Authentication marketplace. Make sure you pick the right version depending on your server, in my case it is 2.3.
$NUXEO_HOME/bin/nuxeoctl mp-install saml2-authentication
Tell the Nuxeo Platform to authenticate against your Okta application by contributing a new "OKTA_AUTH"
authenticationPluginand also map the attributes to match the ones you configured in Okta.
In order to do this, add our sample contribution in your Studio project and just modify the "metadata" parameter name to point to the Identity Provider Metadata or your Okta Application (the URL you retrieved from your Okta Application in Okta Configuration step 5 above).
Test Your New Setup!
If everything was set up correctly, you'll have a new Okta link on your login page in the Nuxeo Platform as below:
Click on the Okta link, and you’ll be redirected to the Okta login page:
After logging in to Okta, John Doe can access the Nuxeo Platform:
After the first login in, the user "John Doe" exists in the Nuxeo Platform and can be used inside the Nuxeo Platform as any normal user (you can assign permissions, workflow tasks, etc). If you need to have your Okta users available in the Nuxeo Platform before they actually login for the first time, you can provision these users with SCIM, but I'll give you the details for this in another blog post!