The following instructions assist the Identity Provider administrator with the setup of single sign-on (SSO) for Nebula with Okta. Nebula only supports SAML 2.0 authentication protocol.
Get started
- The email address used for the Nebula account must match the email address used for Okta.
- Log in to Nebula and go to Configure > Single Sign-on.
- Log in to your Okta Administrator portal and go to the Admin > Applications page.
Add the application in Okta - General Settings
- From the Applications page in Okta, click Create App Integration.
- In the Create a New App Integration dialog that opens, select SAML 2.0 and click Next.
- Name the app in the App name field and click Next.
Setup Okta SAML Settings
- In the Nebula Single Sign-On page, copy the Assertion Consumer Service URL.
- Paste the copied url into the Single sign on URL field in Okta.
- On the Nebula Single Sign-On page, copy the Service Provider Entity ID.
- Paste the copied url into the Audience URI (SP Entity ID) field in Okta.
- Leave Default RelayState field blank.
- Set Name ID format field to Unspecified.
- Set Application username field to Email.
- Leave update application username on Create and update.
- (A) Type email in the Name field > (B) set Name format to URI Reference > (C) type user.email in the Value field, in lowercase, exactly as displayed below.
- Click Next.
- Click Finish.
Upload Okta SSO XML file into Nebula
- You'll land on the Sign On tab of the new application you've created. On the right-side, click View SAML setup instructions.
- Scroll down to Optional at the bottom.
- Copy the IDP metadata.
- Paste it into a new file.
- Save the file as an XML file.
- In the Nebula Single Sign-On page, have a Nebula Super admin drag the .xml file or Choose a Different File to upload the Identity Provider (iDP) Metadata.
Enable SSO
- Once the metadata is uploaded, toggle on Enable SSO.
- Toggle on Just-In-Time (JIT) Provisioning to automatically create Nebula users if they don't already exist when authenticating through Okta.
- Toggle on Service Provider Initiated SSO if you will be accessing Nebula through a tile or button in Okta.
- Now the application can be assigned to your Nebula administrators in Okta.