File IQ Single Sign-On (SSO)

  • Updated on Jul 16, 2025
  • Published on May 23, 2025
  • 16 minute(s) read
  • YD
  • DM
  • CD
 Prev Next

Single Sign-On (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems.

The File IQ Dashboard Single Sign-On (SSO) Configuration feature enables administrators to integrate the Nasuni File IQ Dashboard with either the Entra or Okta identity provider (IdPs) using their corporate credentials. Use this guide to assist in setting up the following identity providers:

  • Microsoft Entra ID

  • Okta

Important: The File IQ Dashboard Single Sign-On Configuration is a Nasuni File IQ Premium feature. A Nasuni File IQ Premium license is required to access this feature.

Important: Once the Nasuni File IQ Single Sign-On functionality is configured, the default “viewer” account used for the Nasuni File IQ Dashboard is no longer active. Instead, dashboard users must use their own credentials to log in, and access is controlled by group membership.

Nasuni File IQ SSO Configuration for Microsoft Entra ID

This section describes the procedure for configuring Single Sign-On for Nasuni File IQ Dashboards using Microsoft Entra ID. This procedure requires the following configuration steps in both the Microsoft Entra ID User and the Nasuni File IQ User Interfaces:

  • Setting up an Enterprise Application in the Microsoft Azure portal

  • Configuring a new application role for Nasuni File IQ Dashboard in the Azure Portal

  • Configuring the required Graph API permissions in the Azure Portal

  • Finalizing the Nasuni File IQ SSO configuration in the File IQ User Interface and validating the setup

Microsoft Entra ID Configuration

Note: Azure can have some latency. Before proceeding to the next step, use the Microsoft progress indicator to confirm that the operation is complete.

Prerequisites

The following prerequisites must be set up within Azure before beginning the configuration:

  • Microsoft Entra ID. Nasuni's role and scope-based security rely upon group membership to assign users to applications. For more information about Microsoft Entra ID licensing. For more information, see Microsoft Entra ID Pricing.

  • An Azure tenant must be set up. A Microsoft Entra ID tenant is a service that users can create in Microsoft’s cloud to control and manipulate their cloud-based services, such as configure Oauth/SAML and AD management. For more information, see Quickstart: Set up a tenant.

  • The user performing the configuration in Microsoft Entra ID must have access to the Azure portal and have sufficient privileges to:

    • Create a new App Registration

    • Create a (new) Role

    • Configure Permissions

    • Create a Client Secret

  • The Nasuni File IQ Appliance Fully Qualified Domain Name is required to configure SSO with Microsoft Entra ID. This Domain Name is referenced as FILE_IQ_FQDN in this document, and could be, for example, file_iq.my_company.com.

Important: After configuring SSO between Microsoft Entra ID and Nasuni File IQ, every user must use the same FILE_IQ_FQDN when they access the File IQ Dashboard. For example, https://file_iq.my_company.com:3000

If an IP address is used instead of an FQDN during the SSO configuration process, users will be forced to use the same IP Address when they access the File IQ Dashboard. For example, https://12.24.36.48:3000.

  • Administrator access to the Nasuni File IQ User interface. To locate the Nasuni File IQ User interface, navigate to https://FILE_IQ_FQDN:8443.

For more information on the process, see Plan a single sign-on deployment.

Checklist for Microsoft Entra ID

Complete the following checklist as part of the Application creation process. This checklist is required to complete the SSO Configuration in the Nasuni File IQ User Interface.

Name

Required

Description

Value

Application (client) ID

Mandatory

The Microsoft Entra ID Application ID. This is obtained when creating a new App in the Azure portal.

Directory (tenant) ID

Mandatory

The Microsoft Entra ID Directory (tenant) ID. This is obtained when creating a new App in the Azure portal.

Client secret value

Mandatory

The Microsoft client secret. This is obtained when creating a new App in the Azure portal.

Allowed Groups

Optional

Optional list of Azure Group identifiers that have access to the Nasuni File IQ Dashboard.

Setting up an Enterprise Application in the Microsoft Azure Portal

To set up the Enterprise Application, follow these steps:

  1. Navigate to the Azure portal: https://portal.azure.com/#home.

  2. Under Azure Services, click Microsoft Entra ID

  3. If prompted, select to open the new Microsoft Entra admin center:

  4. Expand the Applications tab on the left hand panel and click App registrations:

  5. Click Add / App Registration. The Register an application page displays.
     

  6. Create a new Azure Application.

     

    1. In the Name field, enter a user-facing name for your application, such as “Nasuni File IQ Dashboard.”

    2. Set the Supported account types to Accounts in this organizational directory only.

      Note: Depending on your organization, you can also select Accounts in any organizational directory (Any Microsoft Entra ID directory—Multitenant).

    3. A redirect URI is required. To configure it, follow these steps:

      1. Navigate to the Redirect URI section.

      2. Click the Select a platform drop-down and select Web.

      3. In the corresponding field, enter a web address. Azure uses this to redirect users to the application after they authenticate. The URI is in the form of https://FILE_IQ_FQDN:3000/login/azuread. For example, https://file_iq.my_company.com:3000/login/azureread.

  7. Click Register. The App Registration Overview page displays.

  8. A second redirect URI is required. Follow these steps to add the additional URI:

    1. Next to Redirect URI, click 1 web.
       

    2. Click Add URI.

    3. Enter: https://FILE_IQ_FQDN:3000/. For example, https://file_iq.my_company.com:3000/.

    4. Click Save.

  9. From the navigation bar, click Overview.

    1. Save the Application (client) ID.

    2. Save the Directory (tenant) ID.

  10. Create the secret for this application by following these steps:

    1. Navigate to the left navigation bar and click Manage —> Certificates & secrets.

    2. Click the Client secrets tab.

    3. Click New client secret.

    4. Enter a Description and configure the Expiration.
      Note: Make sure to enter a meaningful description. This will help you later on when you need to renew the secret.
      Note: Secrets have a configurable lifetime. The Azure default is 6 months, and the maximum allowed is 24 months. When the client secret expires, users cannot authenticate to the Nasuni File IQ Dashboard.
      Note: Nasuni recommends to select the longest available expiration in order to minimize login disruption.
      Note: To ensure that File IQ always has a valid client secret, administrators should track its expiration using the same practice they use for tracking other secret expirations.

    5. Click Add to create and display the secret.

    6. Copy and save the client secret value for this application.

      Important: Azure only allows access to the secret value upon creation.

The application is created. Proceed to the next section.

Changing App Icon

The application icon shown in My Apps can be changed by following these steps:

  1. Navigate to App Registrations, and click the Owned applications tab.

  2. Search for your newly created application, and click it.

  3. Navigate to the left navigation bar and click Manage —> Branding & properties.

  4. Click on the folder icon and select the file you want to upload

  5. Click Save. The new icon is now saved:

Configuring which users have access to the Nasuni File IQ Dashboard

This section describes setting up a Nasuni File IQ Dashboard application role within the Azure Portal. For more information, see Add app roles to your application and receive them in the token.

To configure a new application role, follow these steps:

  1. Navigate to App Registrations, and click the Owned applications tab.

  2. Search for your newly created application, and click it.

     

  3. From the left-hand side navigation bar, click App roles, followed by Create App Role. The wizard page displays.

  4. Enter a Display name. For example, “Nasuni File IQ Viewer”.

  5. Set the Allowed member types to Users/Groups.

  6. In the Value field, enter “Viewer”.

  7. Enter a Description for this role. For example, “Used by Nasuni File IQ SSO Configuration”.
     

  8. Ensure that the Do you want to enable this app role? option is selected.

  9. Click Apply. The role is created, and the wizard page closes.

Proceed to Configure the required Graph API permissions in the Azure Portal.

Configure the Required Graph API Permissions in the Azure Portal

To configure the graph API permissions, follow these steps:

  1. Navigate to App Registrations and select the previously created application.

  2. From the left-hand navigation, select API Permissions.

  3. Click Add a permission.

  4. From the list of APIs, select Microsoft Graph.

  5. Click Delegated permissions.

  6. In the Select permissions field, enter “group”.

  7. Expand the GroupMember section (you may need to scroll in order to see it) and select GroupMember.Read.All.

  8. You should now see:
     

  9. Click Add permissions.

  10. Granting admin consent
    You may see a Not granted for Nasuni error after adding the permission:

    If this is not the case, you can jump to Configure Group Membership Claims on the Azure Portal.
    If you see this error, ask your Azure administrator to follow these steps in order to grant consent:

    1. Navigate to App Registrations and select the previously created application.

    2. From the left-hand navigation, select API Permissions.

    3. Click the Grant admin consent button:

    4. Click Yes when asked to grant admin consent:

    5. You should now see that all permissions are correctly granted:

Configure Group Membership Claims on the Azure Portal

To ensure that the group's claim is included in the token, add the group's claim to the token configuration either through the Azure Portal UI or by editing the manifest file.

To configure group membership claims from the Azure Portal UI, complete the following steps:

  1. Navigate to App Registrations and select the previously created application.

  2. Click Manage in the side menu and select Token configuration.

  3. Click Add groups claim and select the relevant option for your use case.

For more information, see Configure groups optional claims.

Note: If the user is a member of more than 200 groups, Entra ID does not emit the groups claim in the token and instead emits a group overage claim. To set up a group overage claim, see Users with over 200 Group assignments.

Proceed to Nasuni File IQ SSO Configuration in the File IQ User Interface.

Nasuni File IQ SSO Configuration in the File IQ User Interface

This section outlines the steps required at the Nasuni File IQ User Interface to complete the Nasuni File IQ SSO setup. At this point, the following must be completed:

  • Azure Tenant is configured

  • Azure Application registration is configured

To configure the Nasuni File IQ SSO configuration in the File IQ interface, follow these steps:

  1. Start the Nasuni File IQ Edge User Interface using https://FILE_IQ_FQDN:8443, and log in as an Administrator.

  2. Using the toolbar, click Configuration —> Single Sign-On. The Nasuni File IQ Single Sign-On Configuration wizard page displays.

  3. Navigate to the Identity Provider field, and select Microsoft Entra ID.

  4. Using the previously created checklist, configure the following values.

    - Application (client) ID

    - Client secret value

    - Directory (tenant) ID

    - (Optional) To restrict Nasuni File IQ Dashboard access to a specific list of User Groups, enter their GUIDs in the Allowed Groups field.

    Note: Separate each group by a comma.

  5. Click Test Configuration.
    If validation succeeds, a message indicating that the “OAuth configuration is valid” displays:

    If validation fails, follow the error message and update the configuration accordingly.

  6. Click Save to finish the SSO configuration.

  7. Validate that the SSO Configuration is functional by logging into the Nasuni File IQ Dashboards: https://FILE_IQ_FQDN:3000.

  8. On the Login page, click Sign-in with Microsoft.

  9. Log in with the Microsoft Entra ID to be redirected to the Nasuni File IQ dashboard homepage.

Adding another Nasuni File IQ Appliance to the Microsoft Enterprise Application

The Microsoft Enterprise Application that is used for Nasuni File IQ Single Sign-On can be used for multiple Nasuni File IQ Appliances.

To add an additional Nasuni File IQ Appliance to an existing Microsoft Enterprise Application, follow these steps:

  1. Open the Azure Portal.

  2. Navigate to App registrations, search, and select the previously created application.

  3. In the Essentials section, click the Redirect URIs N-web (for example, “2 web”).
     

  4. In the Redirect URIs section, click Add URI.

  5. Configure the redirect URI. The URI is in the form of https://FILE_IQ_FQDN:3000/login/azuread.

  6. A second redirect URI is required. Click Add URI and enter https://FILE_IQ_FQDN:3000/

  7. Click Save, and both URIs are saved for the additional Nasuni File IQ Appliance.

Updating the Microsoft Entra ID Client Secret

Nasuni File IQ SSO login depends upon a valid client secret that has not expired. Azure’s default secret validity is 6 months, and the maximum allowed is 24 months. To ensure that File IQ always has a valid client secret, administrators should track its expiration using the same practice they use for tracking other secret expirations.

Updating the Client Secret in Microsoft Portal and Nasuni File IQ User Interface

Before the client secret for the Nasuni File IQ’s Azure App registration expires, create a new client secret in Azure and note the new secret value.

Note: Creating a new client secret does not invalidate existing secrets.

To update the client secret in the Nasuni File IQ User Interface, follow these steps:

  1. Navigate to the Nasuni File IQ UI Single Sign-On page.

  2. Enter the new Client Secret.

  3. Click Test Configuration.

  4. Click Save to complete the update. New logins to the Nasuni File IQ Dashboard use the new client secret to authenticate.

Operational boundaries

The following restrictions apply to Nasuni File IQ Single Sign-On for Microsoft Entra ID:

  • Configuring a list of Microsoft Tenants restricting access to the Nasuni File IQ Dashboard is not supported.

  • Configuring a list of domains with access restrictions to the Nasuni File IQ Dashboard is not supported.

Nasuni File IQ SSO Configuration for Okta

This section describes the procedure for configuring Single Sign-On for Nasuni File IQ Dashboards using Okta. The procedures require configuration steps in the Okta Admin Console and Nasuni File IQ User Interface.

The configuration includes the following:

  • Create and configure an Okta App Integration in the Okta Admin Console.

  • Configuring the OpenID Connect ID Token in the Okta Admin Console.

  • Finalise the Nasuni File IQ SSO configuration in the File IQ Edge User Interface and set up validation.

Prerequisites

To complete this configuration, you need the following:

  • Access to the Okta Admin Console and have sufficient privileges to:

    • Create and modify an Okta App Integration.

    • Configure the OpenID Connect ID Token of an Okta App Integration.

  • Have the Nasuni File IQ Appliance Fully Qualified Distinguished Name, which is referenced as FILE_IQ_FQDN in this document, and could be, for example, file_iq.my_company.com.

Important: After configuring SSO between Okta and Nasuni File IQ, every user must use the same FILE_IQ_FQDN when they access the File IQ Dashboard. For example, https://file_iq.my_company.com:3000

  • Administrator access to the Nasuni File IQ Edge User interface: https://FILE_IQ_FQDN:8443

Checklist for Okta

Complete the following checklist as part of the Application creation process. This checklist is required to complete the SSO Configuration in the Nasuni File IQ User Interface.

Name

Required

Description

Value

Client ID

Mandatory

The Okta Client Identifier obtained during the configuration.

Client Secret

Mandatory

The Okta Client Secret obtained during the configuration.

Okta Tenant ID

Mandatory

The Okta tenant ID is part of the URL when you are in the Okta Admin Console. The tenant ID is the first part of the URL shown in your browser when signed in to your Okta account.

Authorization | Okta

Allowed Groups

Optional

Optional list of Groups that have access to the Nasuni File IQ Dashboard.

In the Okta Admin Console, navigate to Directory > Groups and copy the Group name (separate each value using a comma).

Create and Configure an Okta App Integration in the Okta Admin Console

To create and configure a new Okta App Integration, follow these steps:

  1. Log in to the Okta Admin Console.

  2. Using the navigation bar, click Applications —> Applications.

  3. Click Create App Integration.

  4. For the Sign-in method, select OIDC - OpenID Connect.
     A screenshot of a computer application  AI-generated content may be incorrect.

  5. For the Application Type, select Web Application.

  6. Click Next.

  7. Enter an App integration name and check the Authorization Code and Refresh Token boxes.
     

  8. In the Sign-in redirect URIs field, enter https://FILE_IQ_FQDN:3000/login/okta. For example, https://file_iq.my_company.com:3000/login/okta.
    In the Sign-out redirect URIs field, enter https://FILE_IQ_FQDN:3000/logout. For example, https://file_iq_my_company.com:3000/logout.
     

  9. In the Trusted Origins section, leave the Base URIs field blank.

  10. In the Controlled access section, select whether to assign the app integration to everyone in your org, only selected groups, or skip until after app creation.
    Note: If choosing Allow everyone in your organization access, also click Enable immediate access with Federation Broker Mode.
     

  11. Click Save.

  12. Click the General tab.

  13. Save the Client ID and the Client Secret values somewhere safe as you will need them later on.

  14. Click Edit.
     A screenshot of a computer  AI-generated content may be incorrect.

  15. Check the Require PKCE as additional verification box:

  16. Click Save

  17. You can now proceed to the next section.

Configure the OpenID Connect ID Token

To configure the OpenID Connect ID token, follow these steps:

  1. Log in to the Okta Admin Console.

  2. Using the navigation bar, click Applications —> Applications.

  3. Click the previously created App Integration.

  4. Click the Sign On tab.

  5. Scroll down to the Claims section, and click Edit.
     

  6. Set the Group claim type to Filter.

  7. In the Group claim filter, leave the default name groups.

  8. Next to the Starts with field, enter “*”.
     

  9. Click Save, and proceed to the next section.

Nasuni File IQ SSO Configuration in the File IQ User Interface

After setting up the Okta App Integration in Okta, complete the Nasuni File IQ User Interface configuration.

To configure the SSO on the File IQ User Interface, follow these steps:

  1. Start the Nasuni File IQ User interface using https://FILE_IQ_FQDN:8443, and log in as an Administrator.

  2. From the toolbar, navigate to Configuration —> Single Sign-on. The Nasuni File IQ Single Sign-On Configuration wizard page is displayed.

  3. Click the Identity Provider drop-down and select Okta.

  4. Using the Okta checkbox table as a reference, enter the following values:

    1. File IQ Dashboards URL with the exact same hostname you used to set up the redirect URLs, for example:
      https://file_iq.my_company.com:3000

    2. Client ID

    3. Client Secret

    4. The full Okta Tenant ID domain, including the okta.com suffix

    5. (Optional) Allowed Groups

      Note: Separate each Okta group with a comma.

  5. Click Test Configuration. If configured properly, the message “OAuth configuration is valid is displayed.

  6. Click Save.

  7. Validate that the SSO Configuration is functional by logging into the Nasuni File IQ Dashboards: https://FILE_IQ_FQDN:3000.

  8. Select Sign-in with Okta on the Login page.

  9. Log in with Okta. The Nasuni File IQ Dashboard displays.

Adding another Nasuni File IQ Appliance to the Okta App Integration

The Okta App Integration used for Nasuni File IQ Sign On can be used for multiple Nasuni File IQ Appliances.

To add an additional Nasuni File IQ Appliance to an existing Okta App Integration, follow these steps:

  1. Log in to the Okta Admin Console.

  2. Using the navigation bar, click Applications —> Applications.

  3. Locate and select the Single Sign-On Application used by Nasuni File IQ.
       

  4. Click the General tab, scroll down to General Settings, and click Edit.

  5. In the Sign-in redirect URIs field, enter https://FILE_IQ_FQDN:3000/login/okta. For example, https://file_iq_2.my_company.com:3000/login/okta.
    In the Sign-out redirect URIs field, enter https://FILE_IQ_FQDN:3000/logout. For example, https://file_iq_2.my_company.com:3000/logout.
     

  6. Click Save.

Updating the Okta ID Client Secret

This procedure requires updating the client secret in the Okta Admin Console and the Nasuni File IQ User Interface.

To update the Okta ID Client Secret, follow these steps:

  1. Log in to the Okta Admin Console and select Applications —> Applications.

  2. Locate and select the Single Sign-On Application used by Nasuni File IQ.
       

  3. In the Client Secrets section, click Generate new secret.
     A screen shot of a computer  AI-generated content may be incorrect.

  4. Copy the value of the secret.

  5. Keep this window open as you will need to return to it later on to delete the old secret

  6. In another window, log in to the Nasuni File IQ User Interface as an Administrator.

  7. Navigate to the Nasuni File IQ SSO Configuration page.

  8. Input the new Client Secret and click Test Configuration.

  9. Click Save

  10. Validate that the SSO Configuration is functional by logging into the Nasuni File IQ Dashboards: https://FILE_IQ_FQDN:3000.

  11. Select Sign-in with Okta on the Login page.

  12. Log in with Okta. The Nasuni File IQ Dashboard displays.

  13. Once you have verified that you can authenticate with the new secret, you can go back to the Okta Admin Console, select the old secret, change its Status to Inactive and then delete the secret from the list.

Operational boundaries

The following restrictions apply to Nasuni File IQ Single Sign-On for Okta:

  • The ability to configure a list of domains with access to Nasuni File IQ Dashboard is not supported.

Disabling Nasuni File IQ Single Sign-On

Disabling Nasuni File IQ Single Sign-On will:

  • Delete the SSO configuration

  • Delete all the SSO accounts and corresponding preferences and settings, such as theme and home page

  • Remove the Sign in with … button from the Grafana login page

  • Prevent users from logging in with their corporate accounts

  • Re-enable the default Viewer account

To disable Nasuni File IQ Single Sign-On, follow these steps:

  1. Log in to the Nasuni File IQ User Interface https://FILE_IQ_FQDN:8443 as an Administrator.

  2. Navigate to the Configuration tab and select Single Sign-On.

  3. Using the Identity Provider drop-down, select No Single Sign-On configured.

  4. Click Disable.

  5. Enter the Confirmation Phrase.
     

  6. Click Confirm.

Once Nasuni File IQ SSO is disabled, the default Viewer user account for Nasuni File IQ Dashboard is restored, and the SSO configuration is deleted.

SSO Configuration Cleanup

Note: Unless you are only temporarily disabling the SSO configuration, Nasuni recommends removing the File IQ-related setup from your identity provider.

  • For Microsoft Entra ID, this means deleting the App Registration.

  • For Okta, this involves removing the App Integration.

Related articles