Example with OKTA®
Increasingly companies rely on third-party providers for identity management and authentication. The benefits include better protection against data breaches as well as a seamless user experience when switching between applications. My webMethods Server (MWS) also provides support for integrating third-party identity providers.
Why Single Sign-On (SSO)?
SSO gives us the convenience to log in once and access multiple applications from various vendors and hosted on different environments. As the application landscape of enterprises becomes increasingly complex, this convenience becomes a must-have feature.
Using a third-party identity provider
A third-party Identity Provider (IDP) provides user identities and the login functionality to authenticate users. Once the login is verified, the user is then forwarded to the requested application also called a Service Provider (SP). The communication between identity and service provider is conducted through the Secure Assertion Markup Language (SAML) protocol.
IDP initiated vs. SP initiated login
You can sign into a single sign-on service by browsing to the:
- Application - This is called a Service Provider initiated (SP-initiated) login
- Identity provider – This is called an Identity Provider initiated (IDP-initiated) login
As of version 10.3 My webMethods Server only supports IDP initiated login (see point 4).
Setting up MWS
The setup of MWS for SSO using a third-party IDP can be accomplished in three steps.
- Ensure that the MWS is setup for HTTPS communication as the authentication uses SSL certificates
- Provide MWS with the address of the IDP by modifying the websso.properties file
- Import the IDP’s certificate to the MWS trustStore
The setting become active after restarting the MWS server. You can test the configuration by creating a demo IDP account with OKTA.
Creating an OKTA developer account
OKTA provides a free developer account, which can be set up for SSO to MWS. Create a SAML web application and provide the MWS connection details. Once the application is created, note the embed link URL.
Try it out
To test the IDP initiated login to MWS simply open a browser window and enter the embed URL link from your OKTA application.
After successful login, OKTA will redirect you to MWS start page as you will already be logged in.
These simple steps make it easy to include MWS in your SSO landscape. The procedure can also be used to implement other third-party IDPs such as Microsoft® ADFS. The technical implementation details can be found in the “Administering My webMethods Server” found on the Software AG documentation website.
Configure MWS for SAML SSO - 10-3_Administering_My_Webmethods_Server.pdf: Page 297 - Configuring Single Sign-On for Using a Third-Party Identity Provider
Setup sample application in OKTA.
Information about SAML.