Welcome to the Netskope One DSPM Knowledge Base

You will find your answers here!

    Sorry, we didn't find any relevant articles for you.

    Send us your queries using the form below and we will get back to you with a solution.

    SSO User Management via Identity Provider (Okta)

    Table of Contents

    Overview Dasera Platform SSO Settings Okta Configurations for Dasera Platform Roles Custom User Profile Attributes Configure SAML Settings Adding Custom Attributes to User Profile Adding Roles for Individual Users Application Profile Attributes Configure SAML Settings Adding Custom Attributes to Application Profile Adding Roles Within Dasera Application Group Membership Configure SAML Settings Groups Setup Next Steps

    Overview

    If your organization leverages Single Sign-On for users to access and operate Dasera, you can manage users from within your identity provider. This article describes how you can set up and use IDP-based platform user management. 

    Please note that the steps below require that SSO already be set up. Read the article Enable Single Sign-On to learn more.

     

    Dasera Platform SSO Settings

    1. Navigate to Platform SettingsSSO
    2. Click the pencil icon to edit your IDP provider details.
    3. Scroll down to the toggle option to Manage Platform Users from IDP. 
    1. Turn this on to manage platform users within your identity provider. 
    2. You will see a warning that SSO user creation going forward is controlled by your identity provider, and you cannot create new local users within Dasera:
    1.  Click Confirm.

    Okta Configurations for Dasera Platform Roles

    There are three primary ways to assign Dasera Roles to SSO users in Okta:

    1. Custom user profile attributes
    2. Application profile attributes
    3. Group membership

    Only one of the above setups needs to be performed to assign Dasera platform roles to SSO users. The sections below describe how to employ each of these methods to supply roles in Okta for your platform users.

    Custom User Profile Attributes

    For this setup, custom attributes are added to each platform user's profile within Okta to define their Dasera access and platform role.

    Configure SAML Settings

    First, configure your SAML Settings to include a custom attribute statement.

    1. Navigate to Applications and click on your Dasera app.
    2. Click on the General tab.
    3. Scroll down to SAML Settings and click the Edit button. 
    1. Click the Next button until you reach the Configure SAML step. Scroll down to Attribute Statements (optional) and click the Add Another button.
    2. In the fields that appear, enter the following information as shown:
    1. Click Next until all steps are complete in this flow. 
    2. You can preview the SAML Assertion to verify the Attribute Statement. It should appear as follows:
    <saml2:AttributeStatement>
    <saml2:Attribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue
            xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">George
        </saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue
            xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Washington
        </saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="Dasera_Roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue
            xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Super_Admin,RoleName1,RoleName2
        </saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>

    Adding Custom Attributes to User Profile

    Then, add the custom attribute field to your default User Profile:

    1. Within Okta, navigate to DirectoryProfile Editor.
    2. Click on User (default), then the Add Attribute button.
    3. Add a custom attribute with the following selections and fields.
    1. Click Save.
    2. The new custom attribute appears on the Profile Editor.

    Adding Roles for Individual Users

    Once you've added the custom attribute to the Profile Editor as described above, you can populate the Dasera role on an individual user profile.

    1. Navigate to DirectoryPeopleuser name.
    2. Click on the user's Profile tab and scroll to the bottom.
    3. You'll see the custom attribute where you can input platform roles. 
    4. Enter at least one role here that corresponds with an existing platform role in Dasera for them to be automatically provisioned to Dasera via SSO. As a reminder, built-in platform roles are Super_Admin, Data_Set_Admin, and Data_Team.
      1. If you input a role value that does not correspond to an existing platform role, the role will not get assigned to the user. A user will be unable to log into Dasera if all platform roles defined in Okta also do not exist in Dasera.
    1. Once you've inputted a role, click Save.

    Application Profile Attributes

    For this setup, platform role and access are defined via the Dasera application in Okta, and every SSO user with access to the Okta Dasera application can access the Dasera platform with their assigned role. Note that the initial configuration steps will mirror the method described above.

    Configure SAML Settings

    First, configure your SAML Settings to include a custom attribute statement.

    1. Navigate to Applications and click on your Dasera app.
    2. Click on the General tab.
    3. Scroll down to SAML Settings and click the Edit button. 
    1. Click the Next button until you reach the Configure SAML step. Scroll down to Attribute Statements (optional) and click the Add Another button.
    2. In the fields that appear, enter the following information as shown: 
    1. Click Next until all steps are complete in this flow and settings are saved. 
    2. You can preview the SAML Assertion to verify the Attribute Statement. It should appear as follows:
    <saml2:AttributeStatement>
    <saml2:Attribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue
            xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">George
        </saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue
            xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Washington
        </saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="Dasera_Roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue
            xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Super_Admin,RoleName1,RoleName2,RoleName3
        </saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>

    Adding Custom Attributes to Application Profile

    Then, add the custom attribute field to your Dasera Application Profile:

    1. Within Okta, navigate to DirectoryProfile Editor.
    2. Click on the Dasera Application, then the Add Attribute button.
    3. Add a custom attribute with the following selections and fields.
    1. Click Save.
    2. The new custom attribute appears on the Application Profile Editor.

    Adding Roles Within Dasera Application

    Once you've added the Dasera Roles custom attribute to the application Profile Editor as described above, you can verify and add different roles to each application user.

    1. Navigate to ApplicationsApplications from the left nav.
    2. Click the application name.
    3. Navigate to the Assignments tab.
    4. Edit a person assigned to the application using the pencil icon to the right of their name.
    5. You'll see assigned Dasera roles and are able to add additional roles here, as needed. 
    1. Next time this user logs into Dasera via SSO, they are automatically provisioned and assigned these roles.

    Group Membership

    For this setup, platform role and access are defined via group assignment in Okta, and SSO users assigned to specific groups can access the Dasera platform with their assigned role. Note that the initial configuration steps will mirror the method described above.

    Configure SAML Settings

    First, configure your SAML Settings to include a custom attribute statement.

    1. Navigate to Applications and click on your Dasera app.
    2. Click on the General tab.
    3. Scroll down to SAML Settings and click the Edit button. 
    1. Click the Next button until you reach the Configure SAML step. Scroll down to Group Attribute Statements (optional).
    2. In the Name field, input Dasera_Roles
    3. Filter dropdown to select Matches regex.
    4. Include the Platform Role names you want to include in the following format: (Super_Admin|RoleName1|RoleName2|RoleName3).
    1. Because Okta groups can be used for various purposes at once and are not exclusively used for Dasera, this statement defines which Okta groups are used to match Dasera platform roles. 
    2. As you create new Dasera platform roles in the future, you'll need to come back to these Okta settings and update this statement.
    3. You can preview the SAML Assertion to verify the Attribute Statement. It should appear as follows:
    <saml2:AttributeStatement>
    <saml2:Attribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue
            xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">George
        </saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue
            xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Washington
        </saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="Dasera_Roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue
            xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Super_Admin,RoleName1,RoleName2,RoleName3 
        </saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>
    1. Click NextFinish.

    Groups Setup

    Once you've configured the above SAML Settings, you'll need to create Okta Groups whose names exactly match the corresponding Dasera Role Names (Eg. Super_Admin, Role1, Role2, Role3 as shown above, and built-in platform roles are Super_Admin, Data_Set_Admin, and Data_Team). 

    You can then assign users to those groups as needed. User can be assigned to multiple groups at once, and those assigned will have permission to access Dasera for all roles associated with their groups.

    Next Steps

    Once a user has been given a Dasera role in your IDP via one of the above methods, they are granted access to the platform via SSO when logging in for the first time. If their role is changed in Okta, it will change the next time they log in. If their role is not granted from their IDP, they'll be unable to log into Dasera and will see an error message to contact their administrator. 

    Was this article helpful?

    Still can't find what you are looking for?

    Contact Netskope Technical Support