Configuring SAML SSO for TRIRIGA on WebSphere Liberty with Okta

There are several steps for configuring single sign-on (SSO) with WebSphere® Application Server Liberty as the Service Provider (SP), Okta Identity Provider (IdP), and SP-initiated Security Assertion Markup Language (SAML).

Note: The following SSO content was written for TRIRIGA® Application Platform 3.7 and above.
Note: IBM® TRIRIGA does not support Security Assertion Markup Language (SAML) as a method of authentication for its non-browser clients. Unsupported non-browser clients include the following clients:
  • IBM TRIRIGA CAD Integrator/Publisher
  • IBM TRIRIGA Connector for BIM

Contents

I. Configuring Okta

Okta provides cloud-based software that deals with identity and access management. In this example, Okta is the Identity Provider (IdP).

To use Okta with SAML, you must create a SAML application on Okta, assign Okta users to TRIRIGA, and copy the Okta Identity Provider metadata file to WebSphere Application Server Liberty.

The following steps demonstrate how to configure Okta.

a. Creating SAML Application on Okta

Procedure
  1. Sign in to your Okta organization as a user with administrative privileges.
    Note: For testing purposes, you can create an Okta developer account from the following URL: https://developer.okta.com/signup/
  2. After you sign in to Okta, make sure that you are using the Classic UI.
  3. From the menu bar, select Applications. Select Add Application. Then select Create New App.
  4. In the Create a New Application Integration dialog box, select the following settings.
    1. Platform: Select or keep Web for the platform.
    2. Sign On Method: Select SAML 2.0 for the protocol to sign in your users.
    3. Click Create.
  5. In the General Settings screen, enter the App Name. Click Next.
  6. In the Configure SAML screen, under the SAML Settings section, enter the following settings.
    1. Single Sign on URL: Enter the value for: <TRIRIGA base URL>/ibm/saml20/defaultSP/acs
    2. Audience URI (SP Entity ID): Enter the value for: <TRIRIGA base URL>/ibm/saml20/defaultSP
    3. Click Next.
  7. In the Feedback screen, select This is an internal app that we have created for the app type.
  8. Click Finish.

b. Assigning Okta Users to TRIRIGA

After you create a SAML application on Okta, you must assign Okta users to TRIRIGA. Before you configure the SSO, you must create one or more TRIRIGA users and set each TRIRIGA username to the username of each Okta user. Because after SSO is enabled, the only way for users to log into TRIRIGA will be from the Okta sign-in screen.

Procedure
  1. Log in to the TRIRIGA main portal.
  2. Create one or more TRIRIGA users. Set each TRIRIGA username to the username of each Okta user.
    Important: You must take this step before you configure the SSO, because after SSO is enabled, the only way for users to log into TRIRIGA will be from the Okta sign-in screen.
  3. Sign in to your Okta organization as a user with administrative privileges.
  4. After you sign in to Okta, make sure that you are using the Classic UI.
  5. From the menu bar, select Applications.
  6. Return to your SAML application on Okta. Click the Assignments tab.
  7. Select Assign and then select either Assign to People or Assign to Groups.
  8. Enter the people and groups for whom you want to use SSO with your SAML application. For each, click Assign.
  9. For any people that you assign, verify the user-specific attributes. Click Save and Go Back.
  10. Click Done.

c. Copying Okta Identity Provider Metadata File to WebSphere Liberty

After you create a SAML application on Okta, and assign Okta users to TRIRIGA, you must copy the Okta Identity Provider metadata file to WebSphere Application Server Liberty.

Procedure
  1. Sign in to your Okta organization as a user with administrative privileges.
  2. After you sign in to Okta, make sure that you are using the Classic UI.
  3. From the menu bar, select Applications.
  4. Return to your SAML application on Okta. Click the Sign On tab.
  5. Right-click the Identity Provider Metadata link.
  6. Select Save Link As.... Rename and save the file as: idpMetadata.xml
  7. Copy the idpMetadata.xml file to WebSphere Liberty at: <path_to_liberty>/wlp/usr/servers/<server_name>/resources/security

II. Configuring SSO with TRIRIGA

Procedure

On the application server, set the following attributes in the TRIRIGAWEB.properties file. This file should be located in the Tririga/config folder. 
SSO=Y
SSO_REMOTE_USER=N
SSO_USER_PRINCIPAL=Y
SSO_SINGLE_SIGN_OUT_REDIRECT_URL=https://<your Okta domain>/login/signout

III. Configuring SAML SSO with WebSphere Liberty

About this task

After you configure Okta and TRIRIGA, you set up SAML SSO with WebSphere Application Server Liberty. In this example, Okta is the Identity Provider (IdP) and WebSphere Application Server Liberty is the Service Provider (SP).

You set up SAML SSO by editing the WebSphere Application Server Liberty server.xml file.

Procedure

  1. On WebSphere Application Server Liberty, in the server.xml file, add the following element declaration inside the <featureManager> element. 
    <featureManager ... >
   <feature>samlWeb-2.0</feature>
   <feature>transportSecurity-1.0</feature>
</featureManager>
  2. Add a name to the existing application tag. 
    <application...name="Tririga">
  3. Add the following element declaration to your server.xml. 
    <samlWebSso20 id="defaultSP" enabled="false"></samlWebSso20>
<samlWebSso20 id="<tririga_context_path>" httpsRequired="false"
idpMetadata="${server.config.dir}/resources/security/okta<tririga_context_path>
Metadata.xml"spHostAndPort=[https://%3cpublic%20host%20name%3e:%3cssl%20port%3e]
https://<public host name>:<ssl port>>
   <authFilter>
      <webApp name="Tririga"></webApp>
   </authFilter>
</samlWebSso20>
  4. Map the TRIRIGA role to ALL_AUTHENTICATED_USERS.
    • If the <application-bnd> element is already defined, then replace it with the following element declaration.
    • If the <application-bnd> element is not defined yet, then add the following element declaration inside the <webApplication> element.
    <webApplication ... >
   <application-bnd>
      <security-role name="TRIRIGA_PLATFORM">
         <special-subject type="ALL_AUTHENTICATED_USERS"></special-subject>
      </security-role>
   </application-bnd>
</webApplication>
  5. If the <keyStore> element is not defined yet, then add a default keystore.
    • In this example, the decoded value of "{xor}Lz4sLCgwLTs=" is "password".
    <keyStore id="defaultKeyStore" password="{xor}Lz4sLCgwLTs="/>
  6. Set the invalidateOnUnauthorizedSessionRequestException attribute to true.
    • If the <httpSession> tag is already defined, then verify if it has an attribute named invalidateOnUnauthorizedSessionRequestException.
      • If the attribute is already defined, then verify or change its value to true.
      • If the attribute is not defined yet, then add the attribute and set its value to true.
    • If the <httpSession> tag is not defined yet, then add the following element declaration.
    <httpSession invalidateOnUnauthorizedSessionRequestException="true"/>
  7. Add the following element declaration to change the authentication cache timeout. 
    <authCache timeout="2h"/>
  8. Save your changes to the server.xml file.
  9. Start or restart WebSphere Application Server Liberty.