Configure Okta as SSO provider for the WSO2 API Manager DevPortal (With Screenshots)
It is a common requirement in organizations to integrate their preferred identity provider which maintains the identities of their users with vendor products they deploy in their organizations. Therefore, identity federation has become an essential feature for enterprises to utilize as well as vendors to enable their products so that this common requirement can be achieved. Hence it is quite important to have the vendor products facilitate this and it is often a sign of maturity of an organization or a vendor product that it supports federation. One of the most common use cases of utilizing identity federation is to implement Single Sign On (SSO) where the users in an organization can use a single identity to log in to multiple web applications simultaneously.
WSO2 API Manager [1] offers an industry-leading API Management platform that offers building, integrating exposing digital services in the cloud, on-premise and hybrid environments. It provides comprehensive web application portals to develop, implement and administer the APIs in the platform. The portal logins are managed using OpenID Connect making it a candidate to be federated with any standard SSO provider. In this article we will see the requirements for SSO and how it can be implemented by generating userIds with Okta as the federated identity provider with screenshots at each step.
Step 1 — Prerequisites
- Create an account in https://developer.okta.com/
- Download WSO2 API Manager via [1]
- Extract the WSO2 API Manager to some directory (APIM_HOME).
- Put the below configuration at the end of the deployment.toml file.
[tenant_mgt]
enable_email_domain= trueStep 2
Navigate to the Okta admin portal and configure an application by following the screenshots below.
Step 3
Add a new attribute to the default user profile of Okta to represent the user role.Navigate to Directory -> Profile Editor. Click on User(default) to edit the default profile following the screenshots below. Add an attribute names ‘Role’ with variable name ‘role’.
Step 4
Add the claims that need to be returned from the ID Token in Okta.These claims will be used to map the user details with WSO2 API Manager. Navigate to Security -> API -> Authorization Servers and select the default server. Add claims ‘wso2user’ and ‘roles’.
Step 5
Enable WSO2 API Manager to map an internal role to a provisioned user. Go to Directory -> People -> People and click on your profile name. Navigate to the profile edit page by clicking on the username. Add developer as the role value as shown below. This will be used by API Manager to map an internal role to a provisioned user.
Step 6
Login to the management console of the API Manager. Add an Identity Provider by selecting Identity Providers -> Add. Provide the information as depicted in the images below.
Step 7
Click Service Providers -> List in the WSO2 API-M Management Console. There are two service providers available by default; apim_publisher and apim_devportal. Click Edit to edit apim_devportal service provider. Configure “Local & Outbound Authentication Configuration” and select ‘Federated Authentication’.
Step 8
After completing the above steps navigate to the devportal by entering https://<APIM_CP_HOST>:<APIM_CP_PORT>/devportal. It should forward you to the okta login page.
Conclusion
In this article we explored how WSO2 API Manager developer portal login can be federated with Okta as the federated identity provider. The underlying basis is that it is necessary to have roles in Okta which are associated with the roles used in API Manager and those need to be mapped appropriately during the SSO login.
