How to Integrate with SSO for nOps access
Running a secure cloud system is very important. With the new nOps SSO feature, integrating SSO from your favorite SAML 2.0 provider is a smooth and easy process. You can currently integrate Okta, OneLogin, Azure Active Directory (Azure AD) amongst others.
Getting Started
To incorporate SSO in nOps, you need to configure the SSO for your SAML provider. To do that, you first need to get some credentials from your nOps dashboard.
Your nOps Credentials
-
To access your nOps SSO credentials, navigate to your SSO Settings Page. Go to:
Organizational Settings > SSO if you’re using the client portal
or Partner Settings > SSO for the partner portal_._
You will be prompted to enable SSO for access to the SSO Settings page.
-
Copy the Assertion Consumer Service and Entity ID values on the SSO Settings page and paste them into your SAML provider’s SSO configuration settings.
-
Next you need to map some defined attributes. This should be done using the exact values as described. These attributes are called “Parameters” in OneLogin.
Map this Attribute value To this Attribute name Email User.Email First Name User.FirstName Last Name User.LastName Groups User.groups
When you are done, you will be provided setup instructions which you will then use to configure SSO on nOps.
Configuring SSO on nOps
After setting up SSO with your SAML provider, configure SSO on nOps.
To do that, you need some key credentials from Okta or OneLogin (i.e. your provider). They are:
-
Issuer URL (entityId)
-
SAML 2.0 Endpoint (HTTP) (singleSignOnService: URL)
-
X.509 Certificate
Copy these values and paste them in their respective input fields on the nOps SSO settings page shown below.
Assigning Users
After completing these steps, you can add existing users to your application. New users will need to complete a one-time email activation in order to have SSO enabled for them.
Additional Features
nOps has some new features that you can activate for your SSO integration.
Enable SSO Login
When you enable the Enable SSO Login toggle shown below, users will be redirected to the SSO login for authentication the next time they try to sign in and will only need to provide their email to Sign in to nOps.
Leaving this feature disabled will require users to log in with their current login password credentials. However, this is only possible for users who went through the nOps sign-up process.
Enforce SSO login
To enforce SSO login for all users, you must specify a domain in the input box and also select the Enforce SSO login for all domain users checkbox shown below.
Users coming from the specified domain address, must use the SSO Login process to sign in or they will be denied access.
If you however want to login from another domain name, you can copy the value shown in the Shareable Link for IDP Login and sign in using that.
Setting User Roles
This feature allows you to choose a default role for users. You can choose between:
- client-member and client-admin if you are using the Client nOps portal
OR
- partner-member and partner-admin if you are using the Partners nOps portal.
For the Partner portals: the partner-admin role can send invitations, configure SSO and access the partners’ clients. A partner-member role has limited access only to clients.
For the Client portal: the client-admin role has access to all available options including SSO while the client-member role has no access privileges to the Settings pages.
Control your SSO user groups
You can also control your SSO user groups by setting an nOps role based on the SAML group. This feature is currently only available for Okta.
To enable this feature, you need to specify at least one value for admin and user groups.
In addition, you can also select the Allow SAML Group Configuration to Override nOps Role checkbox. This will give preference to nOps defined roles over that of your specified provider’s roles.
Update or Delete SSO Configuration
Lastly, you can update your SSO configuration or delete it entirely.
