S3 File Sharing with Okta Users
S3 file sharing with users on external identity providers like Okta is simplified with NirvaShare. Works with S3 compatible object storage such as AWS S3, DigitalOcean space, Linode, Vultr, etc. Okta is an Identity Provider that provides services to manage user identities and provides a SAML based authentication, by which users can use their single credentials to log in to different applications such as NirvaShare file shares. NirvaShare also supports other identity providers like Azure Active Directory, Google workspace, Keycloak, etc, but however, in this tutorial, we will discuss how to integrate Okta identity provider with NirvaShare to share and collaborate S3 object storage files. The process remains the same when integrating with other identity providers.
As a use case, we will walk you through how to create a SAML application on Okta having employee groups like HR and Finance, thereby assign these user groups to different shares that we create on NirvaShare.
Prerequisites
As prerequisites you will need to have:
- Make sure NirvaShare is installed either on cloud or on premise. In case if you do not have one, please check Quick Installation Guide. Alternatively, you can also do a one-click installation on any of our partnered cloud platforms for easy deployment. Click HERE for those options.
- Configure the Storage and User Application URL in NirvaShare AdminConsole. For details check HERE
- You will require a developer or enterprise account on Okta. Follow this LINK to sign up for a developer account.
- Two or more users assigned to groups on Okta. You can check how to do this in the link HERE.
Okta configuration
Now let us create a SAML application on Okta:
- Sign in to Okta as an administrator.
- In the Okta Console, navigate to Applications > Applications.
- Click Create App Integration.
For more information click HERE.
After clicking on Create App Integration button a dialog box pops, select SAML 2.0 as the Sign-in method for the new app and click next.
Now the settings for the new app opens, here you can provide a app name of your choice and add your brand logo which will appear on the login page. After providing required data, click on Next, which will take you to SAML settings.
At this juncture, you will require SAML metadata information from NirvaShare, hence log in to NirvaShare Admin console and create a new Login profile. Provide a name and choose Single Sign On (SAML 2) as the authentication type and create it.
Now right click on the newly created Login Profile and click on Edit option.
And click on the SAML metadata URL, which will open the metadata for the newly created Login Profile in a new tab.
From the metadata, copy the ACS URL and the Metadata URL from the XML.
Now return to the Okta, the new application that we created on Okta to SAML settings. Fill the copied ACS URL into the Single Sign On URL field and check the option to ‘Use this for Recipient URL and Destination URL’. The ACS URL is the endpoint on service provider i.e NirvaShare to which Okta (IdP) will redirect to during authentication response.
Fill the copied Metadata URL into the Audience URI field, this URL contains the SAML metadata of the service provider.
Scroll down to Group Attribute Statements, and add an attribute with the name member , name format as basic, filter as Matches regex and ” .* ” in the filter field. This will pass the group names of the user as part of the SAML assertion after authentication. This attribute will be used by NirvaShare to grant access based on group to respective Shares.
Now click on the next button that takes you to the feedback section.
In the feedback section select the option that says ” I’m a Okta customer adding an internal app ” and click on finish button.
Now the homepage of the newly created app appears.
Scroll down and click on the link for Identity Provider metadata, which will open in a new tab.
Open the Identity provider metadata tab, now right click and save it locally. Open the file and copy its contents.
The copied Identity provider metadata is now pasted in the metadata field of Login Profile that we created in NirvaShare admin console.
Finally, click on update authentication and the integration is complete.
Create user groups on Okta
Let us create groups in Okta and assign users to it. Click on the Directory tab at left menu tab and then on Groups
To create a group, click on Add Group button.
A dialog box pops up, provide a name as “hr” and a description if necessary and finally click on Add Group button.
On successful creation of the group it appears in the list of groups present. Now click on the newly created group, in our case it is “hr”.
Now click on manage people and add some users to this group, and click on save.
Now to assign the newly created application to this group by clicking on Manage App and assign the application to this group. Here we will assign newly created application to the hr group. Click on Done.
Follow the above steps and crate another group called finance. Add some users to the group and assign the same application to this group.
Adding groups to shares on NirvaShare
Groups in Okta can be granted access to specific Shares in NirvaShare.
Let us create couple of Shares for those specific groups.
Create a share with name say “only-hr” and select the Login Profile the one we created in above section. For the group name specify as “hr“, this indicates all users part of hr group will have access to this share. You can also specify more than one group name separated by comma.
Similarly, create three more shares and assign group name as “finance” and combination of both as “hr, finance“. The third share can be with out any group name.
Testing
Let us access the Login Profile URL. when a user tries to access, they are redirected to Okta login page for authentication. Provide credentials of any of the users from Okta.
After successful authentication the user will be redirected to the user app where they can access the shares assigned to the groups which they belong to.
Depending on the group user belong to and only those Shares assigned to the group will be seen in the User application.
Users who is part of both “hr” and “finance” groups get to see Shares assigned to both groups.
When a user is not part of any group, then they can access only the shares that have no group assigned to it.
With this, it is very much possible to control access to Shares which in turn has fine access control on operations related to Download, Delete, Upload, etc. Above usecase demonstrates, how to share and collaborate files across departments in an organization with security and audit in place using any of object file storage.