Enable SSO Authentication in WSO2 EI using Okta

This post will show how to enable SSO authentication in WSO2 Enterprise Integrator using Okta. For this tutorial we are going to use WSO2 EI 6.5.0. It also requires us to have an account in okta, we can create one for free using in the okta website.

Configuring Okta

In the developer’s console, we need to switch to the Classic UI and then we need to do the following:

  1. Go to Applications -> Add Application -> Create New App;
  2. In the Create new application window choose, Platform: Web and SAML 2.0 for the Sign on method and then click Create button Okta Create new App
  3. In the General Settings, we should add a name, for our example it will be “WSO2 SAML” and then click next Okta App General
  4. In the SAML Settings tab we are going to add the configurations in order to make it work with EI:

    1. Single Sign On URL: https://localhost:9443/acs (This is the URL where the SAML Assertion will be sent to, you must specify your server’s endpoint, in our example it is localhost);
    2. Audience URI (SP Entity ID): WSO2_EI Okta SAML SettingsBefore click next, download the the okta’s certificate using the button download Okta Certificate in the right, we are going to need it later. When you download it, it will be saved as okta.cert. After that we can click the Next button.
  5. In the next tab, you can choose any of the options and click Finish. Now that we have the application created, we need to get the information to make the setup in EI, for that in the Sign On tab of the created app, click on View Setup Instructions. We will need the Identity Provider Single Sign-On URL: Okta SAML Setup

  6. Create a new user called admin. For that we need to go to Directory -> People -> Add Person: Okta Add User

  7. We need to Assign that user to the application we just create(WSO2 SAML). If we click in the application, it will have a tab Assginments, we need to click in Assign -> Assign to People Okta Assign to People and click on the Assign button of the user Okta Assign to People 2 When we click in the assign button, it will show a scree with the username, by default it contains the email, we should edit it to leave only admin and the click “Save and Go Back”, and then click Done. Okta Assign to People 3

Configuring EI to use OKTA as SSO

keytool -importcert -keystore wso2carbon.jks -keypass wso2carbon -alias okta -file okta.cert
<Authenticator name="SAML2SSOAuthenticator" disabled="false">
	<Priority>10</Priority>
	<Config>
		<Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter>
		<Parameter name="ServiceProviderID">WSO2_EI</Parameter>
		<Parameter name="IdentityProviderSSOServiceURL">https://dev-xxxxxx.okta.com/app/myselfdevxxxxxxx_wso2saml_1/exktmtxxxxxxxx/sso/saml</Parameter>
		<Parameter name="NameIDPolicyFormat">urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</Parameter>
		<Parameter name="AssertionConsumerServiceURL">https://localhost:9443/acs</Parameter>
		<Parameter name="IdPCertAlias">okta</Parameter>
	</Config>
</Authenticator>

The important settings are these:

After making those changes we need to restart the server.

Now when we try to access https://localhost:9443/carbon, it will redirect to the Okta login screen and we should use the admin as user and its password. If everything is set correctly, after the successful login it will redirect to the WSO2 Admin Console.

I hope you enjoyed it.

See you in the next post ;)

comments powered by Disqus