Configuring SSO with Okta

The IBM® NS1 Connect® portal supports SAML 2.0 single sign-on (SSO) with Okta for logins initiated by both the identity provider (IdP) and the service provider (SP).

  • IdP-initiated login is when a user logs into the Okta platform and then selects the IBM NS1 Connect® application to be redirected to the IBM NS1 Connect® portal.
  • SP-initiated login is when a user navigates to the IBM NS1 Connect® portal login page and clicks the option to log in using SSO.

Note that there is no single sign-off, so a user who logs out of their Okta account while there is an active IBM NS1 Connect® session will remain logged in to the portal until the session expires.

Note: If you revoke someone's access to the organization's account via the Okta platform, you should also delete their inactive account within the IBM NS1 Connect® platform.

Step 1 - Request your SSO ID

Contact IBM support to request your organization's unique SSO ID.

Step 2 - Save the encryption certificate

The encryption certificate is used to encrypt the SAML information sent to the IBM NS1 Connect® platform. The certificate is available in Step 1 of Okta's How to Configure SAML 2.0 For NS1 guide.

Step 3 - Add the NS1 application to your enterprise applications

  1. Log in to the Okta portal, and then select the Classic UI view from the drop-down list.
  2. Click Applications in the sub-navigation.
  3. Click Add Application.
  4. Type NS1 in the search bar, and click the NS1 application from the list.
  5. Click Add.
  6. Under General Settings, enter the SSO ID provided to you by NS1.
  7. Click Done.

Step 4 - Send your identity provider metadata link to IBM support

  1. In the Okta portal, navigate to the NS1 application settings, and select Sign On settings from the subnavigation.
  2. Copy the link to Identity Provider metadata.
  3. Send the link to the identity provider metadata to IBM support.
    Note: When submitting the support ticket, please include the projected date by which you want to activate Okta SSO on your account. Full NS1 + Okta SSO activation should happen only after you’ve completed all the steps in these instructions — including initial user mappings. See Step 6 for details.

Step 5 - Upload the encryption certificate

  1. Confirm that the following Audience URI is displayed under General Audience URI (SP Entity ID): https://api.nsone.net/saml/sso/metadata
  2. In the Okta application, navigate to the NS1 application settings and select Sign-On from the sub-navigation.
  3. Next to Encryption Certificate, click Browse and select the certificate file you saved in Step 2.
  4. Click Upload.

Step 6 - Configure user mappings

An account administrator must configure user mapping based on usernames or email addresses. First, you will need to identify the format of usernames in your account—either a basic text string (for example jdoe33) or an email address (jdoe33@example.com).

  1. Navigate to IBM NS1 Connect®.
  2. Click the User Settings icon and select User & teams.
  3. Click the Users tab.
  4. In the User column, verify the username format.
  5. In the Okta application, navigate to the NS1 application details page, and click the Assignments tab.
  6. Click Assign to add people or groups from your organization to the NS1 application.
  7. In the User Name field, enter a username exactly as it appears in IBM NS1 Connect®.

    If your organization uses email format usernames, you must enter the user’s entire email address in the Edit User Assignment screen.

Step 7 - Contact IBM NS1 customer support to activate SSO

Once you’ve completed the steps, contact IBM support to indicate that you are ready to activate the Okta integration. Include the date and time that you would like to fully activate SSO. Once IBM NS1 Connect® has enabled SSO, users will only be able to log in via the NS1 application in the Okta platform.