Okta

This document applies to Dash Enterprise version 3.3+ and Okta Identity Cloud.

Setup

Please note that these steps assume a Dash Enterprise domain of https://dash.example.com. Please substitute your Dash Enterprise domain as appropriate.

Adding to Okta

1- As an admin, login to Okta and browse to the “Applications” page.

2- In the top-left, click the “Add Applications” button.

3- On the left-hand side, click the “Create New App” button.

4- Within the modal that appears, ensure that:

• Platform is set to Web

• Sign on Method is set to SAML 2.0

5- On the "General Settings" page, set the App name field to Dash Enterprise and click the "Next" button.

6- On the “SAML Settings” page, set the values as follows and click the “Next” button:

• Single sign-on URL: https://dash.example.com/Auth/saml2/acs/

The trailing slash is required!

• Use this for Recipient URL and Destination URL: Checked

• Allow this app to request other SSO URLs: Unchecked

• Audience URI (SP Entity ID): https://dash.example.com/Auth/saml2/metadata/
• Default RelayState: Leave empty

• Name ID format: “Unspecified”

• Application username: Email prefix

• Update application username on: Create and update

7- Optional: Group information can be passed to Dash Enterprise by configuring a group attribute statement within Okta. The name of the attribute will need to be set as groups and the filter can be set as desired. For instance, to return all Okta groups, to which a user is a member, the Matches regex filter can be used and set to .* as displayed below.

8- On the “Okta support” page, set the answer for the question Are you a customer or partner? to I’m an Okta customer adding an internal app. Leave all the other questions empty and click the “Finish” button.

Adding to Dash Enterprise

1- As an admin, login to Okta and browse to the “Applications” page.

2- Click on the created “Dash Enterprise” app.

3- On the “Sign On” tab, copy the url linked as “Identity Provider metadata”. This is necessary for configuring the IdP on Dash Enterprise.

4- Assign at least one user to your Dash Enterprise app (see section on that below). If not you’ll see an error message upon attempting login like:

5- Browse to your replicated admin at https://dash.example.com:8800

6- Browse to the “Settings” page.

7- On the “Settings” page, scroll down to the “SAML 2 Authentication” section and check Enable SAML 2 Authentication toggle.

8- Set the following options in this section (leave unspecified options as is):

• Enter a URL to the IdP (remote) metadata: Selected

• IdP (remote) Metadata URL: The url previously copied from Okta

• Use name_id from IdP as Plotly Username: Checked

• Automatically generate local certificates and keys for SAML: Selected

• Enable encryption when communicating with IdP: Checked

9- Scroll down and click “Save” and then restart Dash Enterprise.

Assigning Users

To enable users in Dash Enterprise, you may either assign groups of users or provision specific users.

Please note that provisioning users via Okta’s SAML2 service does not circumvent Dash Enterprise licensing limits. Please contact your sales representative to increase the number of Dash App Creators if necessary.

At this time, only admin users may create applications.

Admin Users

At this time, there is a limit of one (1) admin user.

1. Browse to your replicated admin at https://dash.example.com:8800
2. Browse to the “Settings” page.

3. On the “Settings” page, scroll down to the “Administrator Credentials”.

4. Check the Create admin user toggle and set the username who should be an admin in the Admin Username box.

5. Scroll down and click “Save” and then restart Dash Enterprise.

Single User Assignment

1- As an admin, login to Okta and browse to the “Applications” page.

2- Click on the created “Dash Enterprise” app.

3- On the “Assignments” tab, click the “Assign” button dropdown, and click the “Assign to People” option.

4- In the “Assign Dash Enterprise to People” modal, search for the person you wish to add and click the “Assign” button next to their name.

5- Leave the username as their email prefix and click “Save and Go Back”.

6- Click the “Done” button.

Group Assignment

1- As an admin, login to Okta and browse to the “Applications” page.

2- Click on the created “Dash Enterprise” app.

3- On the “Assignments” tab, click the “Assign” button dropdown, and click the “Assign to Groups” option.

4- In the “Assign Dash Enterprise to Group” modal, search for the group you wish to add and click the “Assign” button next to their name.

5- Click the “Done” button.

Enabling Single Logout (SLO)

1- As an admin, login to Okta and browse to the “Applications” page.

2- Click on the created “Dash Enterprise” app.

3- In the General settings tab, on the SAML Settings panel, click Edit.

4- In the SAML configuration wizard, click Next to move to step 2 Configure SAML.

5- On the Configure SAML page, click Show Advanced Settings.

6- Select the check box to Allow application to initiate Single Logout.

7- Single Logout URL: https://dash.example.com/Auth/saml2/ls/post/

8- SP Issuer: https://dash.example.com/Auth/saml2/metadata/

9- Signature Certificate:

• SSH into your instance

• Copy the certificate from dashauth container:

sudo docker cp dashauth:/var/www/streambed/saml2/signing.crt signing.crt

• Download the file from the instance

tsh scp username@instance_address:/home/username/signing.crt ~/local_directory/

• Upload it to the site (important: ensure you don’t have any ad blockers enabled, as they tend to disable the “Upload Certificate” button)

10- Response: unsigned

11- Authentication context class: unspecified

12- Honor Force Authentication: No

13- Click Next, click Finish.

14- In Server Manager**:** under SAML, enable Signed AuthnRequests