This post will show you how to enable SSO authentication in WSO2 Enterprise Integrator using Okta. For this tutorial, we are going to use WSO2 EI 6.5.0. It also requires us to have an Okta account; we can create one for free on the Okta website.
In the developer’s console, we need to switch to the Classic UI and then we need to do the following:
- Go to Applications -> Add Application -> Create New App;
- In the Create New Application Window, choose “Platform: Web and SAML 2.0” for the sign on method, and then click the Create button.
- In the General Settings, we should add a name. For our example, it will be “WSO2 SAML.” Then, click next.
You might also want to read: SSO Login: Key Benefits and Implementation
In the SAML Settings tab, we are going to add the configurations in order to make it work with EI:
- Single Sign-On URL: https://localhost:9443/acs (This is the URL where the SAML Assertation will be sent to. You must specify your server’s endpoint. In our example, it is localhost);
- Audience URI (SP Entity ID): WSO2_EI
Before clicking Next, download the Okta certificate using the button on the right; we are going to need it later. When you download it, it will be saved as okta.cert. After that, we can click the Next button.
In the next tab, you can choose any of the options and click Finish. Now that we have the application created, we need to get the information to make the setup in EI. In the Sign On tab of the created app, click on View Setup Instructions. We will need the Identity Provider Single Sign-On URL:
Create a new user called admin. For that, we need to go to Directory -> People -> Add Person:
We need to assign that user to the application we just created (WSO2 SAML). If we click in the application, it will have an Assignments tab. We need to click on Assign -> Assign to People
and then click on the Assign button of the user.
When we click on the assign button, it will show a screen with the username. By default, it contains the email. We should edit it to leave only admin and then click “Save and Go Back.” Then click Done.
Configuring EI to Use OKTA as SSO
We need to import the certificate we downloaded in the previous steps into the WSO2 keystore (wso2carbon.jks). We can find the keystore at WSO2_EI_HOME/repository/resources/security:
After that, we need to configure the SSO Authentication in the file WSO2_EI_HOME/conf/security/authenticatiors.xml. We need to modify the SAML2SSOAuthenticator:
The important settings are these:
- disabled: We set that to true in order to enable that authenticator
- ServiceProviderID: That is the audienceID in okta
- IdentityProviderSSOServiceURL: That is the IDP URL we retrieved after creating the application
- IdPCertAlias: That is the alias of the certificate imported into the wso2carbon.jks
After making those changes, we need to restart the server.
Now when we try to access https://localhost:9443/carbon, it will redirect to the Okta login screen and we should use the admin as user and its password. If everything is set correctly, after the successful login, it will redirect to the WSO2 Admin Console.
I hope you enjoyed it.
See you in the next post 🙂