Configuring SAML SSO for TRIRIGA on WebSphere Liberty with Okta
There are several steps for configuring single sign-on (SSO) with WebSphere Application Server Liberty as the Service Provider (SP), Okta Identity Provider (IdP), and SP-initiated Security Assertion Markup Language (SAML).
- IBM TRIRIGA CAD Integrator/Publisher
- IBM TRIRIGA Connector for BIM
Contents
I. Configuring Okta
Okta provides cloud-based software that deals with identity and access management. In this example, Okta is the Identity Provider (IdP).
To use Okta with SAML, you must create a SAML application on Okta, assign Okta users to TRIRIGA, and copy the Okta Identity Provider metadata file to WebSphere Application Server Liberty.
The following steps demonstrate how to configure Okta.
a. Creating SAML Application on Okta
- Sign in to your Okta organization as a user with administrative
privileges.Note: For testing purposes, you can create an Okta developer account from the following URL: https://developer.okta.com/signup/
- After you log in to Okta, make sure that you are using the Classic UI.
- From the menu bar, select Applications. Select Add Application. Then select Create New App.
- In the Create a New Application Integration dialog box, select the following settings.
- Platform: Select or keep Web for the platform.
- Sign On Method: Select SAML 2.0 for the protocol to log in your users.
- Click Create.
- In the General Settings screen, enter the App Name. Click Next.
- In the Configure SAML screen, under the SAML Settings section, enter the
following settings.
- Single Sign on URL: Enter the value for: <TRIRIGA base URL>/ibm/saml20/defaultSP/acs
- Audience URI (SP Entity ID): Enter the value for: <TRIRIGA base URL>/ibm/saml20/defaultSP
- Click Next.
- In the Feedback screen, select This is an internal app that we have created for the app type.
- Click Finish.
b. Assigning Okta Users to TRIRIGA
After you create a SAML application on Okta, you must assign Okta users to TRIRIGA. Before you configure the SSO, you must create one or more TRIRIGA users and set each TRIRIGA username to the username of each Okta user. Because after SSO is enabled, the only way for users to log into TRIRIGA will be from the Okta sign-in screen.
- Log in to the TRIRIGA main portal.
- Create one or more TRIRIGA users.
Set each TRIRIGA username to the
username of each Okta user. Important: You must take this step before you configure the SSO, because after SSO is enabled, the only way for users to log into TRIRIGA will be from the Okta sign-in screen.
- Sign in to your Okta organization as a user with administrative privileges.
- After you log in to Okta, make sure that you are using the Classic UI.
- From the menu bar, select Applications.
- Return to your SAML application on Okta. Click the Assignments tab.
- Select Assign and then select either Assign to People or Assign to Groups.
- Enter the people and groups for whom you want to use SSO with your SAML application. For each, click Assign.
- For any people that you assign, verify the user-specific attributes. Click Save and Go Back.
- Click Done.
c. Copying Okta Identity Provider Metadata File to WebSphere Liberty
After you create a SAML application on Okta, and assign Okta users to TRIRIGA, you must copy the Okta Identity Provider metadata file to WebSphere Application Server Liberty.
- Sign in to your Okta organization as a user with administrative privileges.
- After you log in to Okta, make sure that you are using the Classic UI.
- From the menu bar, select Applications.
- Return to your SAML application on Okta. Click the Sign On tab.
- Right-click the Identity Provider Metadata link.
- Select Save Link As.... Rename and save the file as: idpMetadata.xml
- Copy the idpMetadata.xml file to WebSphere Liberty at: <path_to_liberty>/wlp/usr/servers/<server_name>/resources/security
II. Configuring SSO with TRIRIGA
Procedure
SSO=Y
SSO_REMOTE_USER=N
SSO_USER_PRINCIPAL=Y
SSO_SINGLE_SIGN_OUT_REDIRECT_URL=https://<your Okta domain>/login/signout
III. Configuring SAML SSO with WebSphere Liberty
About this task
After you configure Okta and TRIRIGA, you set up SAML SSO with WebSphere Application Server Liberty. In this example, Okta is the Identity Provider (IdP) and WebSphere Application Server Liberty is the Service Provider (SP).
You set up SAML SSO by editing the WebSphere Application Server Liberty server.xml file.