webMethods Single Sign-On with a Third-Party Identity Provider

Example with OKTA®

Increasingly companies rely on third-party providers for identity management and authentication. The benefits include better protection against data breaches as well as a seamless user experience when switching between applications. My webMethods Server (MWS) also provides support for integrating third-party identity providers.

Why Single Sign-On (SSO)?

SSO gives us the convenience to log in once and access multiple applications from various vendors and hosted on different environments. As the application landscape of enterprises becomes increasingly complex, this convenience becomes a must-have feature.

Using a third-party identity provider

A third-party Identity Provider (IDP) provides user identities and the login functionality to authenticate users. Once the login is verified, the user is then forwarded to the requested application also called a Service Provider (SP). The communication between identity and service provider is conducted through the Secure Assertion Markup Language (SAML) protocol.

IDP initiated vs. SP initiated login

You can sign into a single sign-on service by browsing to the:

  • Application - This is called a Service Provider initiated (SP-initiated) login
  • Identity provider – This is called an Identity Provider initiated (IDP-initiated) login

As of version 10.3 My webMethods Server only supports IDP initiated login (see point 4).

Setting up MWS

The setup of MWS for SSO using a third-party IDP can be accomplished in three steps.

  1. Ensure that the MWS is setup for HTTPS communication as the authentication uses SSL certificates
  2. Provide MWS with the address of the IDP by modifying the websso.properties file
  3. Import the IDP’s certificate to the MWS trustStore

The setting become active after restarting the MWS server. You can test the configuration by creating a demo IDP account with OKTA.

Creating an OKTA developer account

OKTA provides a free developer account, which can be set up for SSO to MWS. Create a SAML web application and provide the MWS connection details. Once the application is created, note the embed link URL.

Try it out

To test the IDP initiated login to MWS simply open a browser window and enter the embed URL link from your OKTA application.

After successful login, OKTA will redirect you to MWS start page as you will already be logged in.

In summary

These simple steps make it easy to include MWS in your SSO landscape. The procedure can also be used to implement other third-party IDPs such as Microsoft® ADFS. The technical implementation details can be found in the “Administering My webMethods Server” found on the Software AG documentation website.

Resources

Configure MWS for SAML SSO - 10-3_Administering_My_Webmethods_Server.pdf: Page 297 - Configuring Single Sign-On for Using a Third-Party Identity Provider 

Setup sample application in OKTA.

Information about SAML.