Skip to main content
Version: 4.10.0

Configure SAML SSO with Okta, PingID and oneLogin

Federation is a collection of common standards and protocols to manage and map user identities between Identity Providers across organizations (and security domains) via trust relationships (usually established via digital signatures, encryption, and PKI).

NodeSource Orgs can now take advantage of Identity Providers (IdP) such as Okta, PingID and OneLogin by using NSolid’s new SAML integration to manage user access to NSolid and NodeSource Accounts.

SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between an identity provider and a service provider which can be used for SSO (Single Sign-on) for the NodeSource Account. The NodeSource Account is deployed ready for integration with the third-party SAML 2.0 compatible identity providers.

Requirements to set up SAML SSO

To set up Federated authentication via a SAML SSO Integration administrators are required to meet the following requirements:

  1. Enterprise Organization in your NodeSource Account
  2. Administration privileges in your NodeSource Account
  3. Administration privileges in your identity provider

Setup SAML with Okta

  1. Log in to your Okta Account as an administrator.
  2. Navigate to Admin Dashboard > Applications > Add Application.
  3. Click Create New App and choose SAML 2.0 as the Sign on method. Create New App
  4. Enter General Settings for the application, including App name and App logo (optional). General Settings
  5. Enter SAML Settings, including:
    1. Single sign on URL: https://api.nodesource.com/accounts/auth/acs
    2. Audience URL: https://api.nodesource.com/accounts/auth/idp-metadata
    3. Name ID format: unspecified SAML Settings
  6. Enter attribute statements as below, which will be used to map attributes between Okta and NodeSource. Attribute Statements
  7. Create a new API Token (Security > API > Tokens > Create Token) API Token
  8. In Settings > Features, enable Event Hooks to use SAML webhooks Event Hooks
  9. In your SAML web app, Sign On > Settings, copy the link address of Identity Provider metadata: Identity Provider Metadata
  10. In your NodeSource accounts SAML settings, paste the values generated above.
  11. Identity Provider Metadata URL: the link address of Identity Provider metadata in Sign On > Settings
  12. APP ID: in your okta SAML app page url, e.g., (https://dev-712690-admin.okta.com/admin/app/nodesourcedev712690_nodesource_1/instance/0oamwnctp4tW02lzL356/...), the string after instance/ is your APP ID
  13. API Token: a unique API token generated by your SAML provider. Accounts SAML settings
  14. Click TEST CONNECTION button to test the single sign-on connection. Testing the SAML connection

Use NSolid with Okta-based SAML

Users whose organizations chose to active the Okta integration, must sign into accounts.nodesource.com/signin first in order to accept NodeSource’s Terms and conditions. Once accepted users can directly access the console using their SAML SSO credentials.

See here for details.

Setup SAML with PingID(Ping Identity)

  1. Log in to your PingOne Account as an administrator.
  2. Navigate to Applications.
  3. In My Applications tab, click Add Applications button and choose New SAML Application. (If New SAML Application is disabled, you should connect to an identity repository first. See https://support.pingidentity.com/s/document-item?bundleId=pingone&topicId=fml1564020492091-2.html for more info).
  4. Enter Application Details for the application, including Application Name and Application Description. Application Details
  5. Enter SAML Settings, including:
    1. Assertion Consumer Service (ACS): https://api.nodesource.com/accounts/auth/acs
    2. Entity ID: https://api.nodesource.com/accounts/auth/idp-metadata SAML Settings
  6. Map the necessary application provider (AP) attributes to attributes as below. You can get your orgId from the SAML tab on NodeSource Accounts. Application Details
  7. Select all user groups that should have access to this application. Users that are members of the added groups will be able to SSO to this application and will see this application on their personal dock. Application Details
  8. Review Setup and click Finish button.
  9. Go to the SAML tab in your NodeSource Accounts, paste the values generated above.
    1. IDENTITY PROVIDER METADATA: Your identity provider metadata (XML)
    2. SSO URL: Single Sign-On (SSO) URL of your SAML App. SAML Settings Configuation PingID
  10. Click TEST CONNECTION button to test the single sign-on connection. Testing the SAML connection

Setup SAML with oneLogin

  1. Go to https://developers.onelogin.com/ and create an account.
  2. If you already have a oneLogin account, login as your organization's administrator and navigate to Apps > Company Apps > Click [Add App] button
  3. Enter SAML in the search box and select ‘SAML Test Connector (Advanced)’ One Login Integrations Search
  4. Enter SAML in the search box and select the ‘SAML Test Connector (Advanced)’ Add SAML Test Connector
  5. Once selected apply the following configurations in the Application Details section as below: SAML Test Connector callibration
  6. Set Parameters as follows: SAML Parameters
  7. Inside the SSO tab, click ‘View Details’ to get your X.509 Certificate: Enable SAML in oneLogin
  8. To get your IdP metadata URL, click the ‘MORE ACTIONS’ button and right click on ‘SAML Metadata’ and copy the link address: Test SAML Connector SAML
  9. Select DEVELOPERS > API Credentials to create your API Credentials as below: SAML API Access
  10. Click New Credential button and select Manage All option and save: SAML API Credentials
  11. Your API Credentials (CLIENT SECRET and CLIENT ID) are created: SAML API Credentials
  12. In accounts,nodesource.com navigate to settings > SAML.
  13. Copy and paste the metadata url (step 9) in IDENTITY PROVIDER METADATA URL.
  14. APP ID: In your onelogin SAML app page url, i.e., (https://nodesourcedev.onelogin.com/apps/646661/...), the number after apps/ is your APP ID
  15. Also paste the CLIENT SECRET and CLIENT ID you generated in step 12 and input it in their corresponding fields as shown below: SAML ClientID

Force SAML Authentication

In your Organization’s SAML settings you can force SAML authentication, which means only users with the ability to use your organization’s Okta, PingID or OneLogin credentials can log in. If you previously invited non-SAML members (like third-party contractors) to your organization’s Team those members will receive an email but will lose access to the organization. This feature is designed to easily secure and restrict access to your org’s NodeSource organization, accounts.nodesource.com and NSolid Console.

You an activate the feature by activating the ‘Require SAML Authentication’ toggle in accounts.nodesource.com > Settings > SAML

Require SAML