Single Sign On

Single sign-on (SSO) is an authentication mechanism that allows users to access multiple applications using a single ID and password.

Software AG Cloud supports SSO that allows users to authenticate themselves against an Identity Provider (IdP) rather than obtaining and using a separate username and password. Once the IdP authenticates the users, it informs Software AG Cloud about it, which in turn lets the users access the applications without having to sign in using their Software AG Cloud credentials. This makes the login process easier, faster, and more secure.

In this tutorial, you will learn how to configure OKTA as an Identity Provider, to authenticate Software AG Cloud users.

Prerequisites

To set up SSO for Software AG Cloud, ensure that you have:

Overview of Steps

  1. Create the URI for connecting IdPs to Software AG Cloud

  2. Configure IdPs (OKTA) to connect to Software AG Cloud

  3. Import IdPs SAML settings into Software AG Cloud

  4. Configure IdP details in Software AG Cloud

Detailed Steps

1. Create the URI for connecting IdPs to Software AG Cloud

a. Log in to your Software AG Cloud account. Navigate to My Cloud > Administration page, and click the Single sign-on tab.

b. Click Add Identity Provider. A new screen appears where you add an Identity Provider to authenticate Software AG Cloud users.

c. Enter the following details in the Add Identity Provider screen:

Note: Keep this window open, as you will need these details for setting up the Software AG Cloud application in your IdP in the next step.

2. Configure IdPs (OKTA) to connect to Software AG Cloud

a. Log in to your IdP account as a user with Administrator privileges.

b. Go to Admin > Applications to create a new application integration. Click Add Application to add the Software AG Cloud application.

c. Select SAML 2.0 as the sign-on method.

d. In the App name field, enter an application name. After this, click Next.

e. In the Configure SAML settings tab, enter the following details:

f. After configuring SAML settings, click Next to proceed to the Feedback section. For this tutorial, we will configure the following details:

g. Once you have configured the Feedback options, click Finish.

3. Import IdP SAML settings into Software AG Cloud

To import the SAML settings of IdP into Software AG Cloud:

a. Go to the newly created OKTA application, click Sign On, click Identity provider metadata link, and then either copy the URI or save the metadata to file.

4. Configure IdP details in Software AG Cloud

a. Switch back to the My Cloud SSO Settings window and complete the configuration in Software AG Cloud. If you copied the OKTA metadata URI or saved the metadata to file, choose to import, and then specify the URI or file.
Click Next.

b. On the Configuration page, complete the fields as necessary. If you imported the OKTA metadata, some of the fields are pre-populated with that metadata.

c. If you did not import the OKTA metadata, the Software AG Cloud fields map to OKTA fields as follows. Let’s understand what these fields are:

d. On the Attributes page, map the Identity provider user attributes to the Software AG Cloud user attributes.

e. On the Roles page, grant access to IdP users as follows by assigning default Software AG Cloud roles to OKTA users or by assigning Software AG Cloud roles to OKTA users based on OKTA group membership.
For the second case, click Assign Software AG Roles to users by mapping to identity provider roles. Click +, select a Software AG Cloud role, and then type the name of the OKTA group that corresponds to the role. You can later go to individual Software AG Cloud products and modify access.

f. Save the Identity Provider configuration. Now the configuration for Identity Provider in Software AG Cloud is complete.

On successful configuration of the Identity Provider, you will see the Identity Provider name on the Software AG Cloud login page.

On successful authentication by the SSO server, you are redirected to webMethods.io Integration and you will be able to access webMethods.io integration without requiring additional authentication.