Using Okta as an External IDP with OIDC¶
Follow the instructions below to connect Okta as a third-party Identity Provider to WSO2 API Manager.
Pre-requisites¶
Before you begin, make sure you do the following.
- Create an account in https://developer.okta.com/
- Download API Manager 3.2.0 distribution from https://wso2.com/api-management/
- Unzip the distribution and open the
deployment.toml
file located in<API-M_HOME>/repository/conf/
directory. Add the following configuration.
You need to enable this because Okta uses the email as the username by default. To use the email as the username in WSO2 API Manager you have to enable it as it is not enabled by default. Once enabled, you can use your email or a normal username as your username.[tenant_mgt] enable_email_domain= true
- Start the WSO2 API Manager server.
Step 1 - Configure Okta¶
-
Navigate to the Okta Admin Portal.
-
Click Applications and then click Add Application.
-
Select the type as web and use the following details.
-
Add a new attribute to the default user profile of Okta to represent the user role.
-
Add the claims that need to be returned from the ID Token in Okta.
These claims will be used to map the user details with WSO2 API Manager.
-
Enable WSO2 API Manager to map an internal role to a provisioned user.
Step 2 - Configure API Manager¶
-
Sign in to the WSO2 API-M Management Console.
https://localhost:9443/carbon
. -
Create a role that needs to be assigned to users that will be provisioned from Okta.
-
Add role permissions via the WSO2 API Manager Admin Portal.
-
Sign in to the WSO2 API Manager Admin Portal.
https://localhost:9443/admin
-
Click Settings and then click Role Permissions.
-
Click Add role permission.
-
Enter
okta_role
in the Provide role name field and click Next. -
Go to Select permissions, click Custom permissions, and start assigning the permissions as shown below.
These permissions will allow a user having the
okta_role
to login to Publisher and Developer Portals. -
Click Save to save your changes.
Note
If you want your user to perform analytics-based tasks, you should add the
okta_role
to the required analytics scopes according to your preference. The steps below are given as an example.-
Sign in to the API-M Management Console.
https://localhost:9443/carbon
-
Navigate to Main > Resources > Browse.
-
Enter
/_system/config/apimgt/applicationdata/tenant-conf.json
as the location and click Go to browse the registry and locate the required resource. -
Update the
RESTAPIScopes
JSON field by addingokta_role
to theRoles
field under the correspondingName
fields as shown below for the analytics related scopes.{ "Name": "apim_analytics:api_analytics:view", "Roles": "admin,Internal/creator,Internal/publisher,okta_role" }, { "Name": "apim_analytics:application_analytics:view", "Roles": "admin,Internal/subscriber,okta_role" },
- Click Save Content.
-
-
Add an Identity Provider.
-
Sign in to the WSO2 API-M Management Console.
https://localhost:9443/carbon
. -
Click Main and then click Add under Identity Providers.
-
Enter the Identity Provider's Name.
-
Expand Federated authenticators -> OAuth2/OpenID Connect Configuration and add the following details.
Field Sample value Enable OAuth2/OpenIDConnect True Client id You can find this value from the Okta application that you created. Client secret You can find this value from the Okta application that you created. Authorization Endpoint URL https://your_okta_url/oauth2/default/v1/authorize Token Endpoint URL https://your_okta_url/oauth2/default/v1/token callback url https://localhost:9443/commonauth Userinfo Endpoint URL https://your_okta_url/oauth2/default/v1/userinfo Logout Endpoint URL https://your_okta_url/oauth2/default/v1/logout Additional Query Parameters scope=openid%20profile -
Expand Claim Configuration -> Basic Claim Configuration. Add the claim configurations as shown in the image below.
-
Expand Role configuration and add
okta_role
as shown below.You can check if the user logged in has the role
any
and assign the localokta_role
. -
Enable Just-in-Time Provisioning for the user to be saved in the API Manager user store.
Info
When Just-In-Time Provisioning is enabled, the user details will be saved in the API Manager user store. User profile details will be updated via the federation following each login event. To preserve the user profile details without any changes you need to enable
SystemRolesRetainedProvisionHandler
.Add the following to the
<API-M_HOME>/repository/conf/deployment.toml
file and restart the server.[authentication.framework.extensions] provisioning_handler = "org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.SystemRolesRetainedProvisionHandler"
-
-
Update the Service Providers.
-
Click Service Providers -> List in the WSO2 API-M Management Console.
There are two service providers available by default;
apim_publisher
andapim_devportal
. -
Click Edit to edit
apim_publisher
.Warning
You need to have signed in to the Developer Portal and Publisher at least once for the two service providers to appear, as it is created during the first sign in.
-
Expand Local & Outbound Authentication Configuration under Federated Authentication and select the identity provider you created.
-
Repeat the latter mentioned two steps for
apim_devportal
.
-
Now you will be able to Sign in to the Publisher and Developer Portal using Okta.
Top