Okta As Identity Provider
The Okta Identity Cloud provides secure identity management with Single Sign-On, Multi-factor Authentication, Lifecycle Management (Provisioning), and more.
In this tutorial, you will learn how to integrate the webMethods Developer Portal with OKTA. This integration provides you with the following benefits:
You can control in Okta who has access to webMethods Developer Portal.
You can enable your users to be automatically signed in to webMethods Developer Portal (Single Sign-On) with their Okta accounts.
You can manage your user accounts in one central location - the Okta portal.
Prerequisites
To configure Okta integration with webMethods Developer Portal, you need an Okta subscription. If you don’t have an Okta environment, you can get a trial account here https://developer.okta.com/signup/ .
-
webMethods Developer Portal supports SP and IDP initiated SSO
-
webMethods Developer Portal supports just-in-time user provisioning based on the SAML responses.
-
Keystore and truststore to configure at configuration at Dev portal and public certificates used at OKTA while creating the application.
Create key store and trust store for single logout
• In my case we are using the keytool to generate the certificates. If the certificates are already available, then this step can be skipped.
• Commands to generate the certificates
keytool -genkey -alias {server-alias} -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks
keytool -export -alias {server-alias} -storepass changeit -file server.cer -keystore keystore.jks
keytool -import -v -trustcacerts -alias {server-alias} -file server.cer -keystore cacerts.jks -keypass changeit -storepass changeit
Assets generated from the commands
keytool -genkey -alias webmkeyserver -keyalg RSA -keypass OktaPassword1234 -storepass OktaPassword1234 -keystore keystore.jks
keytool -export -alias webmkeyserver -storepass OktaPassword1234 -file server.cer -keystore keystore.jks
keytool -import -v -trustcacerts -alias webmtrustserver -file server.cer -keystore cacerts.jks -keypass OktaPassword1234 -storepass OktaPassword1234
-
keystore: keystore.jks
-
public certificate: server.cer
-
truststore: cacerts.jks
Attached the keystore,truststore and certificates in the below zip file.
GeneratedCertificates.zip (5.0 KB)
Create a new SAML app in OKTA
-
Log in to your Okta org and move to the admin user interface
-
Switch from developer console to classical UI.
-
Navigate Applications > Applications
-
Click add application
-
Create new web app and SAML 2.0 as signon method
-
Provide a name for your app
-
Move to next and provide the following information
-
Sign on URL: https:// <tenant url > /portal/rest/v1/saml/initsso
-
Audience: We can provide any details like DevUser@DevPortal
-
Click on Advance settings
-
Import the generated public certificate. (In our case server.cer: generated previously).
-
Select the signature algorithm as per you requirement. In my case we are using RSA-SHA256.
-
Please note what ever the signature algorithm configured here on okta application, same algorithm needs to be configured on Dev portal as well.
-
Provide the single signout url as
https://<tenant url>/portal/rest/v1/saml/initslofor example tenant URL https://wmiotrialtenant.devportal-aw-us.webmethods.io/
- Add the user attribute FirstName , LastName and Email ID
- Same details need to be configured at Developer Portal side as well during the configuration.
Create users in Okta
-
Navigate Directory > People
-
Click Add Person
- Provide the basic information about the new user and click save
Assign users to an application
Now we have successfully created an application for integration and provisioned a user for validating, now we need to assign the user to the application.
To assign applications from the People page:
-
Go to Directory > People.
-
Click an end user’s name.
-
Select the Applications tab.
-
Click Assign Applications.
-
You can select applications from the list of available applications or use the Search box to search for
applications by name. Once you have located the application you want to assign, click Assign App.
Configurations on Developer Portal for User
Now we need to get the Identify provider metadata from Okta to configure the values with Developer Portal under the administration tab. Identity provider metadata would be available in the newly created application’s Sign-on tab
Key information to look for in the metadata XML would be
- entityID
- SingleSignonService
- SingleLogoutService
Configure SAML
- Open the administration tab and open SAML Configuration
• Under the General tab details need to be configured using the metadata xml generated from OKTA application.
| Use SAML | TRUE |
|---|---|
| Binding | Redirect |
| Identity provider ID | EntityID from metadata xml |
| Service provider ID | EntityID from metadata xml |
| Single sign-on URL | SingleSignonService from metadata xml |
| Single logout URL | SingleLogoutService from metadata xml |
• Configure the same algorithm what configured in OKTA application. In our case my OKTA application name is “DevPortal”.
• Configure the keystore with username and password which was used to generate the keystore.
• Configure the truststore with username and password which was used to generate the truststore.
- Add the user attributes, as added in OKTA
- Configure the advance settings as shown below.
- Save the details.
Testing
-
Now login with your Developer Portal URL
-
In this case URL:
-
Click on Sign in with SSO
-
Provide the user name and password for OKTA user which we have created while doing the OKTA configuration.
-
In our case it is DemoUser
-
Provide the details and click on Sign in
- Once the request is validated at OKTA, we will be redirected to the Developer Portal home page.
