Adding support for Okta primary authentication with public application in NX protocol

Knowledge Base

Searching in : Article

ID: AR03V01222

Applies to: NoMachine Software

Added on: 2024-03-05

Last Update: 2024-03-11

Adding support for Okta primary authentication with public application in NX protocol

The NoMachine Server is able to perform primary Okta password authentication, as described in example from Okta developer's guide:
https://developer.okta.com/docs/reference/api/authn/#primary-authentication-with-public-application

The following keys in the server configuration file (server.cfg) allows to enable support for Okta authentication and configure it:

EnableNXOktaAuthentication 1

and:

OktaDomain "example-1234567.okta.com"

Optionally, the administrator could also enable the creation of Okta local account:

CreateLocalOktaAccount 1

When this last key is enabled, NoMachine will create a standard local user account if it doesn't exist already, with the same name and password as the one used during Okta authentication.

The local account is necessary or the Okta authentication will fail.

Note that support for Okta primary authentication doesn't include two-factor authentication.

Server configuration keys in detail:

# # Enable or disable support for OKTA primary password authentication # for connections by NX protocol. # # 1: Enabled. OKTA password authentication is supported. # # 0: Disabled. OKTA authentication is not supported. # EnableNXOktaAuthentication 1


		#

		# When EnableNXOktaAuthentication is enabled, specify if a successful

		# Okta authentication is required or not. If not, authentication  

		# relies on system password authentication regardless of result of  

		# Okta authentication, this is the default.

		#

		# 1: Enabled. Successful OKTA authentication is required.

		#

		# 0: Disabled. Successful OKTA authentication is not required.

		#

		NXOktaAuthenticationRequired 0
		#

		# When EnableNXOktaAuthentication is enabled, specify the Okta domain

		# (e.g. example-1234567.okta.com)

		#

		OktaDomain ""
		#

		# When EnableNXOktaAuthentication is enabled on Linux, specify the

		# path to the directory containing CA certificates for Okta server

		# verification. If not set, NoMachine will try to use the standard

		# path "/etc/ssl/certs". If it doesn't exist, it will try to use

		# "/etc/pki/tls/certs".

		#

		#OktaCAPath ""
		#

		# When EnableNXOktaAuthentication is enabled on Linux, specify the

		# file containing one or more CA certificates to be used for Okta

		# server verification. If not set, NoMachine will try to use the

		# standard file "/etc/pki/tls/cert.pem".

		#

		#OktaCAInfo ""

# # When EnableNXOktaAuthentication is enabled, enable or disable the # automatic creation of a local system account based on credentials # used during Okta authentication. Users need to have a local account # or the Okta authentication will fail. # # 1: Enabled. NoMachine will create automatically a new local account # if it doesn't exist already, with the same name and password as # the one used during Okta authentication. # # 0: Disabled. NoMachine will not create a local account for the # OKTA user. A local account must already exist for the connecting # user. # CreateLocalOktaAccount 0