Enable Single Sign On using OKTA with webMethods API Portal

Okta

The Okta Identity Cloud provides secure identity management with Single Sign-On, Multi-factor Authentication, Lifecycle Management (Provisioning), and more.

 

In this tutorial, you will learn how to integrate the webMethods API Portal with OKTA. This integration provides you with the following benefits:

  • You can control in Okta who has access to webMethods API Portal.
  • You can enable your users to be automatically signed-in to webMethods API Portal (Single Sign-On) with their Okta accounts.
  • You can manage your user accounts in one central location - the Okta portal.

Prerequisites

To configure Okta integration with webMethods API Portal, you need an Okta subscription. If you don't have an Okta environment, you can get a trial account here https://developer.okta.com/signup/.

  • webMethods API Portal supports SP and IDP initiated SSO
  • webMethods API Portal supports just-in-time user provisioning based on the SAML responses.

Create a new SAML app in Okta

  1. Log in to your Okta org and move to the admin user interface
  2. Switch from developer console to classical UI.
  3. Navigate Applications  > Applications
  4. Click add application
  5. Create new web app and SAML 2.0 as signon method
  6. Provide a name for your app
  7. Move to next and provide the following information
  8. Single Sign-On URL https://api.fazio.com/umc/rest/saml/initsso
    Audience Restriction umc@api.fazio.com
    Default Relay State ZGVmYXVsdCxodHRwOi8vYXBpLmZhemlvLmNvbS8jZGVmYXVsdC9ob21l

     RelayState that contains the tenant ID, as well as the entry URL of the user, needs to be passed. RelayState should be specified in
    format base64(tenant,url), e.g. ZGVmYXVsdCxodHRwOi8vYXBpLmZhemlvLmNvbS8jZGVmYXVsdC9ob21l
     base64(default,http://api.fazio.com/#default/home) 

  9. Click finish to create an application

Create users in Okta

  1. Navigate Directory > People
  2. Click add person
  3. Provide the basic information about the new user and click save

Assign users to an application

Now we have successfully created an application for integration and provisioned a user for validating, now we need to assign the user to the application.

To assign applications from the People page:

  1. Go to Directory > People.
  2. Click an end user's name.
  3. Select the Applications tab.
  4. Click Assign Applications.
  5. You can select applications from the list of available applications or use the Search box to search for applications by name. Once you have located the application you want to assign, click Assign App.

 

Configurations on API Portal User management console

Now we need to get the Identify provider metadata from Okta to configure the values with API Portal UMC console. Identity provider metadata would be available in the newly created application's Sign-on tab.

Key information to look for in the metadata xml would be

  1. entityID
  2. SingleSignonService

Configure SAML

  1. Open the configuration tab and open SAML Configuration
  2. Use SAML TRUE
    Identity provider ID EntityID from metadata xml
    Service provider ID Same as Audience URI we provided when we define a application in OKTA
    Single sign-on URL SingleSignonService from metadata xml

Map user attributes from SAML Assertion

Choose user attributes section within SAML configuration in API Portal to map the users various attributes from incoming SAML Assertion

Enable dynamic creation of users based on SAML assertion.

We need to enable the dynamic provision of users within UMC to automatically create users based on SAML assertion that portal receives.

Define the default role for users created from SAML assertion

You can configure the default roles to be assigned to a single sign-on user using below configuration

Now we are done. If you logout from UMC and access the portal home page, you should be redirected to Okta for signing in. Once you sign in Okta successfully you will be redirected back to API Portal with a logged-in session.

 

add_app0.PNG

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png

image.png