| Table of Contents |
|---|
Introduction
SP-Initiated SAML is a Single-Sign-On (SSO) plugin that allows users to sign in into Joget through authentication in their preferred identity management platform (IDM) that supports the SAML protocol.
Sample Screen Flow using OKTA As Provider
We will be using OKTA as the IDM provider in this article to walk through the steps of setting the plugin up. After it is enabled, on the login page, we will be seeing an additional login (blue) button as shown Here is a tutorial for setting SAML as SP (Service Provider) and Okta as an Identity Provider (IDP). Below would be the flow of how it would be if you have successfully implemented it.
With clicking the login, you would be redirected to the next image in Figure 1.
Figure 1: Joget Login screen
Upon clicking on the blue login button, the user will be redirected to Okta.
Figure 2: Login Page using Okta IDP
Upon successfully login in Okta with your registered email you would be redirected back to Joget.
Source Code and Plugin Download
...
- Please visit https://github.com/jogetoss/sp-saml-directory-manager for the plugin's source code.
- You can find the latest release at https://github.com/jogetoss/sp-saml-directory-manager/releases.
Setting up
- Upload the plugin to your Joget by navigating to Settings > Manage Plugins > Upload Plugin as admin.
Sample Setup using OKTA
Create App Integration
Go to your Okta developer account, and navigate to Applications > Create App Integration.
Figure 3: Okta Developer Dashboard - Creating App Integration
Choose First thing first we need to create a new App integration with SAML 2.0.
Figure 34: App Integration - SAML 2.0
After selecting SAML 2.0, we have to give an app name and pick a meaningful app name to represent Joget.
You may click on "Do not display application icon to users" if you do not want this app to appear in Okta's end user interfaces.
Figure 45: General Settings
To fill up the section in Figure 5, to ease out the process. We have to upload the sp-saml-directory manager jar file onto our Joget DX 8 first
In the next screen, we will be required to provide SSO URL and SP Entity ID.
Figure 46: SAML Settings
Upon uploading go into
In Joget, navigate to System Settings and > Directory Manager Settings and select the SAML Service Provider Directory Manager like as seen in Figure 5. Upon selecting, it will lead you to the image in Figure 6.
Figure 5: Select Plugin
Figure 6: Plugin Configuration
...
7.
Figure 7: Select Plugin
Once selected, you should be directed to the next screen in Figure 8. If not, please click on Configure Plugin.
Figure 8: Plugin Configuration
Copy the Entity ID.
Go back to Okta page, and paste the value into:-
- Single sign-on URL
...
- Audience URI (SP Entity ID)
, and Default RelayState. Change Name ID format onto EmailAddress.Upon completing that section it would look as below image in figure 7.
Figure 7: SAML Setting (General)
Scroll a bit below and you would stumble upon down to Attribute Statements (optional) . Just and fill up the text boxes below and we are good to go.
attribute mappings. The mappings below are needed so that to identify the users that will be logging into our systemin.
Figure 8: Attribute StatementsUpon filling up everything under general for the necessary stuff. You could preview the SAML Assertion. If you are happy we could go to the next page.
Figure 9: SAML Assertion
| Name | Value |
|---|---|
firstName | user.firstName |
lastName | user.lastName |
| user.email |
Complete the rest of the steps by clicking on Next and Finish. You may choose "Upon clicking next just Click on I'm an Okta customer adding an internal app" for your testing purpose.
We are done setting up the app , and This is an internal app that we have created.
That is all for the Okta configuration. At least we have setup Okta IDP. But we are not quite there yet. Upon finishing, we need to copy two more information.
Which is, the certificate and the metadata. Below is where you could locate it.
...
Figure 10A: Metadata URL
Figure 10B: Metadata Value
integration on Okta, next, we will need to configure Joget to point to Okta.
Edit the app integration that we have just created on Okta.
Figure 9: Obtaining Metadata
Copy the Metadata URL and open it in a new window. Copy the entire content.
Figure 10: Metadata
Paste the content into Metadata in Joget.
Figure 11: Paste Metadata into Joget SAML Plugin
Scroll down to look for SHA-2 cert and download certificate.
Figure 12Figure 11A: Download Certificate
Figure 11B13: Okta Certificate
Open the certificate with your favourite text editor and copy the value . Upon copying those value, you could insert those value in Figure 6.
Only copy the highlighted data in Figure 10. You have to click on User Provisioning Enabled, this is because upon enabling this the user that sign in
would be registered onto the system. If not the data wouldn't be able to be capture and leads to different behaviour. Figure 12 would be how it would look like
after completing the action. Upon clicking Submit you would landed onto the page in figure 13. You have to make sure the data is the same as in figure 8.
The first name and the e-mail attribute is mandatory.
Figure 13: Configure User Attributes
One last step that we need to do is assign user in Okta like in figure 14. Upon creating the user you need to assign the newly registered account to the
newly created App and we are good to go.
Figure 14: Add Person
Figure 15: Assign App to People
and paste it into Joget.
Figure 14: Paste the Cert Content into Joget SAML Plugin
You may want to check on User Provisioning Enabled so that if it is the first time an user SSO into Joget, an user account would be created in Joget and the user would be able to continue to log in to Joget.
Figure 13: Configure User Attributes
Configure User Attributes based on the mappings below.
| Name | Value |
|---|---|
First Name Attribute | firstName |
Last Name Attribute | lastName |
Email Attribute |
The "Value" here corresponds with "Name" column that we have declared in Figure 8 earlier.
Up to this point, we have successfully created app integration in Okta and configured the SAML plugin in Joget.
No users from Okta are able to log in using this mechanism yet. Continue to read on.
Add Users to App Integration
We will need to assign user(s) to the app. Navigate to Applications > Assignments > Assign.
Figure 14: Assign Users to App
Once assigned, the selected users are now abe to SSO into Joget using their identity in Okta.
...