Nile Service Block
...
Zero Trust Campus
Zero Trust Access
Single Sign-On (SSO)
19min
integrating sso for a zero trust campus the nile access service is built on the principles of a "zero trust campus," ensuring that no user or device is implicitly trusted as part of this security model, the nile access service supports the integration of single sign on (sso) to streamline user authentication and authorization across multiple applications and resources by implementing sso, organizations can leverage their existing identity providers (idps) to centrally manage user credentials and enforce consistent access policies this approach aligns with the zero trust principle of verifying user identity or device before granting access, reducing the risk of unauthorized access and enhancing overall security nile sso login process diagram why use sso with the nile access service? the nile access service's support for sso integration offers several key benefits improved user experience sso allows users to access multiple applications and resources with a single set of credentials, reducing password fatigue and improving productivity centralized user management by integrating with existing idps, the nile access service enables organizations to manage user identities and access privileges from a central location, simplifying user provisioning and deprovisioning consistent policy enforcement sso integration ensures that access policies defined within the idp are consistently applied across the nile access service, ensuring a unified security posture enhanced security the nile access service's sso integration, combined with its zero trust principles, helps mitigate the risks of password based authentication by verifying user identity and device posture before granting access integrating identity providers with nile access service the nile access service supports integration with various identity providers (idps) using the saml protocol this allows users to authenticate to the nile platform using their existing corporate credentials, providing a seamless single sign on experience the general steps to integrate an idp with the nile access service are as follows configure the idp application log in to the administration portal of your idp (e g , azure ad, google workspace, okta, onelogin) create a new saml application or custom integration for the nile access service provide the necessary configuration details, such as the assertion consumer service (acs) url and entity id download the idp's saml signing certificate configure the nile identity provider log in to the nile customer portal as an administrator navigate to the "settings" > "global settings" > "identity" page click "add a new provider" and fill out the form with the details from the idp configuration idp issuer uri idp sso url destination url upload the idp's saml signing certificate configure any necessary group mapping rules to assign users to segments based on idp group membership test the sso integration verify that users can successfully log in to the nile access service using their idp credentials ensure that the user is being placed in the correct segment based on your configured policies refer to the provider specific integration guides for detailed steps on configuring azure ad, google workspace, okta, and onelogin as identity providers for the nile access service integrating idp groups with nile access service when configuring the single sign on (sso) integration between the nile access service and the customer's identity provider (idp), such as azure ad, the idp group membership plays a crucial role in determining the user's access privileges the groups are defined in the idp for example, in azure ad, the administrator may have configured groups like "admin", "monitor", and "guest" when a user authenticates through the idp, the nile access service receives information about the user's group membership nile leverages the idp group information in the following ways nile cloud services portal access if the customer wants to allow users to access the nile cloud services portal, the idp must send the "admin" or "monitor" group information users belonging to the "guest" group will not be able to log in to the nile cloud services portal, but they can still perform sso for network access network access privileges the nile access service can use the idp group information to assign users to the appropriate network segments and apply the corresponding access policies for example, users in the "admin" group may be granted access to sensitive network resources, while "guest" users are isolated in a restricted segment by integrating the idp group information, the nile access service can provide a seamless and secure single sign on experience while enforcing granular access controls based on the user's role and privileges within the organization this integration between the idp groups and the nile access service is a crucial aspect of implementing a robust zero trust security model, ensuring that only authorized users and devices can access the appropriate network resources sso options once your idp is successfully configured you are able to utilize a number of sso powered authentication methods open sso wireless only this configuration allows the creation of an open wifi network with sso login a typical use case would be a network that allows employees to access the internet on their personal devices to use open sso, follow these steps create an open wireless network in the nile customer portal, navigate to "settings" > "wireless" select open ssid type and enable the sso option connect devices to the open ssid users can select the newly created open wireless network enter sso login info byod sso wireless best practices ecourage limiting the number of ssid's in air each beacon is like a bicycle on a freeway taking up bandwidth and slowing things down for use cases where enterprises want to provide internet only access to employees personal devices, they can leverage this feature on an existing guest ssid this eliminates the need for a dedicated ssid when a user connects to the guest ssid, a login button is displayed at the top right hand corner of the page as seen in the screenshot below guest user workflow a guest user will fill the form and once approved will get access to the network for the duration of time defined in the ssid settings employee user workflow an employee user will click on the login button on the top right hand corner on clicking they will be navigated to the idp for authentication once authenticated their personal device will have access to the network for a longer duration unlike guest users these devices will be on the same segment as the guest users and all guest policies defined will be applicable to use open sso, follow these steps create an guest portal in the nile customer portal, navigate to "settings" > "authentication" add a guest portal and enable the sso option create an captive portal wireless network in the nile customer portal, navigate to "settings" > "wireless" select captive portal ssid connect devices to the open ssid users can select the newly created captive portal wireless network enter sso login info psk sso we created this option for customers who want to use a pre shared key but do not have radius similar to open sso, this method prevents any unauthorized access to the network, even if a psk is compromized to use psk sso, follow these steps create psk sso segment click the + icon to add a new segment give the segment a name like employee psk sso then, enter the 'service area' tab select the service area where this network will be available select the dhcp server from dthe dropdown list and select the appropriate subnet to be used by the segment click 'save' to complete create an psk wireless network in the nile customer portal, navigate to "settings" > "wireless" select personal, pre shared key ssid type and enable the sso option select the psk sso segment you created click 'save' to complete connect devices to the psk ssid users can select the newly created psk wireless network enter the psk enter sso login info unique passphrase (upsk) + sso unique passphrase (upsk) is a feature of the nile access service that enhances the security of traditional pre shared key (psk) wireless networks unlike a typical psk network, where a single key is shared among all devices, upsk assigns a unique key to every authenticated user to use upsk, follow these steps create a upsk enabled ssid in the nile customer portal, navigate to "settings" > "wireless" select the "personal" ssid type and enable the "enable sso" option enter a pre shared key and select the appropriate network segment register devices provide users with a unique registration link, which can be obtained from the nile customer portal or the my nilesecure com website users will be redirected to an sso login page to authenticate after successful login, users can generate a unique passphrase for their device connect devices to the upsk ssid users can connect their devices to the upsk enabled ssid using the generated passphrase alternatively, users can scan a qr code from the self registration page to automatically connect their device screenshot required nile upsk user login the upsk feature ensures that each user and device has a unique set of credentials, enhancing the overall security of the wireless network and aligning with the nile access service's zero trust principles for more information on configuring identity provider integration or the unique passphrase feature, refer to the provider specific guides and the nile access service documentation wired sso the nile access service extends its sso capabilities to wired network access, providing a seamless and secure authentication experience for employees connecting to the corporate network wired sso overview by default, all ports on a nile switch are blocked when a device connects to the wired port for the first time and is not capable of 802 1x authentication, the nile access service looks up the mac auth table to check if the device is authorized by it if the device is not authorized and is identified as a common endpoint (e g , apple, windows, linux, or chromebook), it will be assigned to an "onboarding" segment the device will then be redirected to the customer's identity provider (idp) portal for sso authentication once the user successfully authenticates using the idp, the device will be moved from the onboarding segment to the employee segment configured by the administrator, granting the user access to the corporate network resources configuring wired sso to enable wired sso, administrators must complete the following steps set up saml authentication with the idp ensure that the customer's identity provider is configured for saml based authentication create an onboarding segment in the nile customer portal, create a new network segment designated as the "onboarding" segment this segment should be mapped to a restricted subnet, allowing only access to the idp portal identify the employee segment determine the appropriate network segment to be assigned to authenticated employees enable wired sso in the "settings" > "access management" > "wired sso" section of the nile customer portal, enable the wired sso feature and select the onboarding and employee segments when the wired sso feature is enabled, the nile access service will automatically create an "all" rule that applies the onboarding and employee segment assignments based on the sso authentication status wired sso user experience onboarding devices that are not authorized in the mac auth table or cannot perform 802 1x authentication will be assigned to the onboarding segment these devices will be redirected to the customer's idp portal for sso authentication authentication the user will be prompted to authenticate using the corporate idp credentials upon successful authentication, the device will be moved from the onboarding segment to the employee segment subsequent connections once a device has been authenticated via sso, it will be added to the mac auth table subsequent connections to the wired network will not require sso re authentication, as the device's mac address will be recognized the wired sso feature simplifies the onboarding process for employees connecting to the corporate network, while also enhancing the overall security posture by ensuring all wired devices are authenticated and assigned to the appropriate network segments for more information on configuring identity provider integration or the unique passphrase feature, refer to the provider specific guides and the nile access service documentation read next wired sso faq docid\ noomrjsdvtesgquh1qe23 mac authentication bypass