Map SSO Groups from Okta to Nucleus Role-Project Combinations

This article is intended to help you set up the proper settings in Nucleus to manage your permissions to various projects and roles within Nucleus from your Okta Admin console. This works very well when your projects change very little but you'll want to automate/change users with access to those projects often.

Introduction

In Nucleus, SSO mapping accomplishes a very specific task. For example, say you have 10 projects, and each project has a group in Okta which needs access to that project and at a specific role level.

The mapping in Nucleus tells Nucleus which groups from Okta are equal to the project-role combination in Nucleus.

Before starting the SSO mapping process, you'll need to read the Nucleus support guide on Creating Roles in Nucleus to understand how the roles work in the Nucleus console. You also should have your Okta SSO setup and working properly before attempting this mapping.

Once you have your roles set up in Nucleus, the goal is to combine a project-role combination (ie General User - Project1) to a particular group within Okta (referred to as the SSO object).

So if I have a group in Okta named 'Administrators', and I want that group to have access to the project "Administrator Project" at the role level "Project Admin", then I would apply the Group Name from Okta for the group "Administrators" to the "Project Admin - Administrator Project" combination.

Assigning an Okta Group to a Role-Project Combination

You can map the group from Okta to a Nucleus Project-Role Combination the following way:

1. Log into your Nucleus console

2. Navigate to Global Administration > Roles

Here you will see a list of all the roles which you have defined in your organization in Nucleus.

3. In a second browser window, open your Okta admin console

4. Navigate in Okta admin console to the SSO application you created to log into Nucleus > click on Assignments > Groups.

Here you will see a list of all the groups which you have given access to log into Nucleus.

5. Copy the group name that you want to map to a project and role in Nucleus.
   
6. Back in Nucleus, find the role level you wish to assign to that group, and select the button SSO Setup
   

This is the screen where you pick which projects the group will have access to at this role level

7. On the right-hand side of the window, if it is not already expanded, click on the Add Projects Panel to expand it.
   

This panel lists all of the available projects in your organization.

8. Use the green + button next to the relevant project name in order to add them to the Role

9. For each project, you add to the role, paste the group name which you copied in Step 5 from Okta Groups screen. Once you are done, click on the Save button.
   

You have now set up your first SSO to Role-Project mapping! The group which you selected should now have access to all the projects at the role level which you selected, just by logging in through SSO! Now if you change users in the group in Okta, those permissions will carry forward into Nucleus.

For example, 5 users are part of the "Administrators" group inOkta. After the mapping, those 5 users will get access to the project-role via SSO. If you remove one of the users from your Okta group, then that user will be unable to log into Nucleus (unless you give them permissions through a different group). This allows you to manage all user permissions through Okta, and once the SSO-mappings are set up, user management can be handled exclusively through your Okta console.

Once your SSO is fully set up, start importing scans, analyzing your vulnerability data, and automating your vulnerability management workflows!