Single Sign-On (SSO) is an authentication mechanism that allows users to access multiple applications by using a single ID and password.
IBM webMethods iPaaS supports SSO that allows users to authenticate themselves against an Identity Provider (IdP) rather than obtain and use a separate username and password. Once the IdP authenticates the users, it informs IBM webMethods iPaaS about it, which in turn lets the users access the applications without having to sign in using their IBM webMethods iPaaS credentials. This makes the login process easier, faster, and more secure.
IBM webMethods iPaaS supports the following Single Sign-On Providers:
1. Create the URI for connecting IdPs to IBM webMethods iPaaS
a. Log in to your IBM webMethods iPaaS account. Go to the Administration page, and click the Single sign-on tab.
b. Click Add Identity provider. A new screen appears where you add an Identity Provider to authenticate IBM webMethods iPaaS users.
c. Enter the following details in the Add Identity Provider screen:
Identity provider display name: Enter a friendly name for the Identity Provider, for example, IDP_SAG_Test.
Identity provider unique identifier for use inIBMredirect URI: Enter a display name for the Identity Provider.
IBM webMethods iPaaS redirect URI: Copy the auto-created URI that appears in the IBM webMethods iPaaS redirect URI field to the clipboard. Use the icon at the far right of the field to copy the URI.
Note
Keep this window open, as you will need these details for setting up the IBM webMethods iPaaS application in your IdP in the next step.
2. Configure IdPs (OKTA) to connect to IBM webMethods iPaaS
a. Log in to your IdP account as a user with Administrator privileges.
b. Go to Admin > Applications to create a new application integration. Click Add Application to add the IBM webMethods iPaaS application.
c. Select SAML 2.0 as the sign-on method.
d. In the App name field, enter an application name. After this, click Next.
e. In the Configure SAML settings tab, enter the following details:
Single Sign-on URL: Paste the copied URI here. Select the checkbox to specify the URI in both the recipient and the destination URL. Also, paste the copied URI into the Audience URI field and Default RelayState.
Note
The name of this field may be different in some IdPs. For example, ‘SP Entity ID’, ‘Audience URI’.
NameID Format: Specify OKTA properties to pass to IBM webMethods iPaaS. OKTA must pass the Name ID format property to IBM webMethods iPaaS. Set the value for this field to ‘EmailAddress’. Other OKTA properties are optional.
Note
The email address, first name, and last name attributes appear on the OKTA user interface by default, and OKTA must pass these attributes to IBM webMethods iPaaS. Other OKTA user attributes are optional.
In the Attribute Statements section, provide attribute names for all required and optional attributes to pass to IBM webMethods iPaaS. These names will appear with their values in the IBM webMethods iPaaS user profiles. Ensure that you note the attribute names for use in a later step.
If you are going to assign IBM webMethods iPaaS roles to OKTA user based on OKTA group membership, go to the Group Attributes section, enter roles as the name of a group attribute, and specify a filter that matches the names of the OKTA groups you created, for example, SAG_Cloud. Note that later you need to create group as SAG_Cloud under OKTA directory and assign the Users/People to the Group.
If you are going to assign IBM webMethods iPaaS roles to OKTA users, and you therefore created OKTA groups for the IBM webMethods iPaaS roles, assign users to the application by assigning the groups to the application. If you did not create OKTA groups, assign users to the application individually.
f. After configuring SAML settings, click Next to proceed to the Feedback section. For this tutorial, we will configure the following details:
g. Once you have configured the Feedback options, click Finish.
After configuring SAML settings, you assign Users/People to the application. If you have created OKTA groups (under Okta Directory), assign Users/People to that group and assign the groups to the application.
3. Import IdP SAML settings into IBM webMethods iPaaS
To import the SAML settings of IdP into IBM webMethods iPaaS:
a. Go to the newly created OKTA application, click Sign On, click Identity provider metadata link, and then either copy the URI or save the metadata to file.
4. Configure IdP details in IBM webMethods iPaaS
a. Switch back to the IBM webMethods iPaaS SSO Settings window and complete the configuration in IBM webMethods iPaaS. If you copied the OKTA metadata URI or saved the metadata to file, choose to import, and then specify the URI or file. Click Next.
b. On the Configuration page, complete the fields as necessary. If you imported the OKTA metadata, some of the fields are pre-populated with that metadata.
c. If you did not import the OKTA metadata, the IBM webMethods iPaaS fields map to OKTA fields as follows. Let’s understand what these fields are:
Single sign-on service URL: This is the unique identifier of the Identity Provider. This field is pre-populated.
NameID policy format: This is the format to use for the subjects of SAML assertions. This field is pre-populated.
HTTP-POST binding response: This attribute indicates whether the identity provider will use HTTP-POST binding to respond to authentication requests instead of the default HTTP-Request rebinding. This attribute is turned on.
HTTP-POST binding for AuthnRequest: This attribute indicates whether the identity provider expects applications to use HTTP-POST binding to submit authentication requests instead of the default HTTP-Redirect binding. This attribute is turned on by default.
Assertions signed (on/ off): Here if the “Assertions Signed” attribute is turned ON in IBM webMethods iPaaS, then the “assertion signature” attribute of IdP should be “Sign SAML assertion”.
Assertions encrypted: This attribute indicates whether the service provider expects an encrypted assertion from the identity provider. If this property is turned on, then the “Assertion HTTP-POST binding response Encryption” attribute needs to be turned on in the identity provider and additionally, the encryption certificate needs to be uploaded to the identity provider.
Validate signature: This attribute indicates whether IBM webMethods iPaaS will validate SAML assertion signatures. If “Validate Signature” is turned on, you need the public certificate from the Identity Provider to be copied to the “Validating X509 Certificates” field in IBM webMethods iPaaS.
d. On the Attributes page, map the “Identity provider user attributes” to the “IBM webMethods iPaaS user attributes”.
Username: This always defaults to the value set for the NameID attribute.
Work email: email
First name: firstname
Last name: lastname
e. On the Roles page, grant access to IdP users as follows by assigning default IBM webMethods iPaaS roles to OKTA users or by assigning IBM webMethods iPaaS roles to OKTA users based on OKTA group membership. For the second case, click Assign IBM webMethods iPaaS Roles to users by mapping to identity provider roles. Click +, select a IBM webMethods iPaaS role, and then type the name of the OKTA group that corresponds to the role. You can later go to individual IBM webMethods iPaaS products and modify access.
f. Save the Identity Provider configuration. Now the configuration for Identity Provider in IBM webMethods iPaaS is complete.
On successful configuration of the Identity Provider, you will see the Identity Provider name on the IBM webMethods iPaaS login page.
On successful authentication by the SSO server, you are redirected to IBM webMethods Integration and you will be able to access IBM webMethods Integration without requiring additional authentication.
