Okta
The Okta Identity Cloud provides secure identity management with Single Sign-On, Multi-factor Authentication, Lifecycle Management (Provisioning), and more.
In this tutorial, you will learn how to integrate the webMethods API Portal with OKTA. This integration provides you with the following benefits:
- You can control in Okta who has access to webMethods API Portal.
- You can enable your users to be automatically signed-in to webMethods API Portal (Single Sign-On) with their Okta accounts.
- You can manage your user accounts in one central location - the Okta portal.
Prerequisites
To configure Okta integration with webMethods API Portal, you need an Okta subscription. If you don't have an Okta environment, you can get a trial account here https://developer.okta.com/signup/.
- webMethods API Portal supports SP and IDP initiated SSO
- webMethods API Portal supports just-in-time user provisioning based on the SAML responses.
Create a new SAML app in Okta
- Log in to your Okta org and move to the admin user interface
- Switch from developer console to classical UI.
- Navigate Applications > Applications
- Click add application
- Create new web app and SAML 2.0 as signon method
- Provide a name for your app
- Move to next and provide the following information
-
Single Sign-On URL https://api.fazio.com/umc/rest/saml/initsso Audience Restriction umc@api.fazio.com Default Relay State ZGVmYXVsdCxodHRwOi8vYXBpLmZhemlvLmNvbS8jZGVmYXVsdC9ob21l RelayState that contains the tenant ID, as well as the entry URL of the user, needs to be passed. RelayState should be specified in
format base64(tenant,url), e.g. ZGVmYXVsdCxodHRwOi8vYXBpLmZhemlvLmNvbS8jZGVmYXVsdC9ob21l
base64(default,http://api.fazio.com/#default/home) -
Click finish to create an application
Create users in Okta
- Navigate Directory > People
- Click add person
- Provide the basic information about the new user and click save
Assign users to an application
Now we have successfully created an application for integration and provisioned a user for validating, now we need to assign the user to the application.
To assign applications from the People page:
- Go to Directory > People.
- Click an end user's name.
- Select the Applications tab.
- Click Assign Applications.
- You can select applications from the list of available applications or use the Search box to search for applications by name. Once you have located the application you want to assign, click Assign App.
Configurations on API Portal User management console
Now we need to get the Identify provider metadata from Okta to configure the values with API Portal UMC console. Identity provider metadata would be available in the newly created application's Sign-on tab.
Key information to look for in the metadata xml would be
- entityID
- SingleSignonService
Configure SAML
- Open the configuration tab and open SAML Configuration
-
Use SAML TRUE Identity provider ID EntityID from metadata xml Service provider ID Same as Audience URI we provided when we define a application in OKTA Single sign-on URL SingleSignonService from metadata xml
Map user attributes from SAML Assertion
Choose user attributes section within SAML configuration in API Portal to map the users various attributes from incoming SAML Assertion
Enable dynamic creation of users based on SAML assertion.
We need to enable the dynamic provision of users within UMC to automatically create users based on SAML assertion that portal receives.
Define the default role for users created from SAML assertion
You can configure the default roles to be assigned to a single sign-on user using below configuration
Now we are done. If you logout from UMC and access the portal home page, you should be redirected to Okta for signing in. Once you sign in Okta successfully you will be redirected back to API Portal with a logged-in session.