Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To successfully perform Single Sign On (SSO) to Joget using Identity Provider (IDP). For this article we are using OKTA as Identity Provider.

Getting Started

Prerequisites

1. OKTA Developer Account

The prerequisite for this plugin is to have a account with desired Identify Provider (IDP) and setup the App integration and obtain the IDP metadata and certificate. In this article we will using OKTA as the Identity Provider.

...

Okta
Identity Providers (IdPs): What They Are and Why You Need One
Okta Documentation

2. API Domain/IP Whitelist

To ensure the successful operation of this plugin, it is essential to whitelist the domains or IP addresses of the host. Typically, this involves adding the IP address or domain name of your Joget application server to the whitelist. To access this section of Joget, go to Settings → General Settings and scroll down till you see API Domain/IP Whitelist section.

Image Added

Figure 1: API Domain/IP Whitelist


NameDescription
API Domain Whitelist (Separated by ';')

Domain whitelist to allow API calls to Joget Workflow. Separated by semicolon.

Info
titleExample

"localhost;www.joget.org;dev.joget.org”, or "*" to allow from everywhere.

Warning

In a production environment, do not use "*".

Doing so will allow anyone to call all JSON APIs from the Joget server.

API IP Whitelist (Separated by ';')

IP address whitelist to allow API calls to Joget. Separated by semicolon.

Info
titleExample

"localhost; 192.168.101.10; www.joget.org;dev.joget.org ”, or "*" to allow from everywhere.

Warning

In a production environment, do not use "*".

Doing so will allow anyone to call all JSON APIs from the Joget server.

3. Licensed Users

Please review the Licensed Users in the License section of Joget. If you surpass the allowed user limit, you won't be able to log in to Joget following the Single Sign-On (SSO) process.

Image Added

Figure 2: Licensed Users

Setting up OKTA

1. Create a OKTA Developer Account

Create Developer Account at https://developer.okta.com/signup/ and compete the signup process. For this the setup in this article, we will  be using Workforce Identify Cloud Account.

Image Added

Figure 3: Okta Developer Account Sign up

2. Login to OKTA Developer Account

...

Go to your Okta developer account, and navigate to Applications > Create App Integration.

Figure 14: Okta Developer Dashboard - Creating App Integration

4. Choose SAML 2.0.

Figure 25: App Integration - SAML 2.0

...

You may click on "Do not display application icon to users" if you do not want this app to appear in Okta's end user interfaces.

Figure 36: General Settings


In the next screen, we will be required to provide SSO URL and SP Entity ID.

Figure 47: SAML Settings

Here we will need Single sign-on URL & Audience URI (SP Entity ID). Please key in the following in both the fields

...

For this article we are using localhost as server and 9443 as port, e.g. https://localhost:9443/jw/web/json/plugin/org.joget.marketplace.SpSamlDirectoryManager/service

** Only change the server and port setting.


Change Name ID format onto EmailAddress.

Figure 58: SAML Setting (General)


Scroll down to Attribute Statements (optional) and fill up the attribute mappings. The mappings are needed to identify the users that will be logging in.



Figure 69: Attribute Statements

Info
titleAttribute Statements

Click Add Another to create an extra attribute statements.

NameValue

firstName

user.firstName

lastName

user.lastName

email

user.email

...

4. Getting IDP Metadata and Certification

In this, we will get IDP Metadata and Certificate.

Info
titleIDP Metadata and Certificate

We will need IDP Metadata and Certificate to configure this plugin in later steps. 


Edit the app integration that we have just created on Okta.

Figure 710: Obtaining Metadata


Copy the Metadata URL and open it in a new window. Copy the entire content.

Image RemovedImage Added

Figure 811: Metadata


Scroll down to look for SHA-2 cert and download certificate.

Figure 912: Download Certificate


Figure 1013: Okta Certificate

5. Add users to App Integration

We will need to assign user(s) to the app. Navigate to Applications > Assignments > Assign.

Image Modified

Figure 14: Assign Users to App

Once assigned, the selected users are now abe able to SSO into Joget using their identity in Okta.

We are done with setting up OKTA Developer Account and obtains the required items such as IDP Metadata and Certificate. We will not proceed to setup this plugin in Joget.

Plugin Setup

1. Obtain the Plugin

Get the plugin source and jar file from https://github.com/jogetoss/sp-saml-directory-manager

2. Upload the Plugin

Upload the plugin jar file in Joget by going to Settings → Manage Plugins → Upload Plugin

3. Plugin Configuration

Once the plugin in uploaded, go to Settings → Directly Directory Manager Settings and choose SAML Service Provider Directory Manager - 8.0.0 and click Select. 

Figure 1115: Select Plugin


Open the certificate with your text editor and copy the value and paste it into Joget.

Image Modified

Figure 1216: Paste the Cert Content


Paste the content into Metadata in Joget.

Image Modified

Figure 1317: Paste Metadata

Info
titleUser Provisioning

You may want to check on User Provisioning Enabled so that if it is the first time an user SSO into Joget, an user account would be created in Joget and the user would be able to continue to log in to Joget.


Configure the User Attributesuser attributes.

Figure 1418: Configure User Attributes

...

NameValue

First Name Attribute

firstName

Last Name Attribute

lastName

Email Attribute

email

The "Value" here corresponds with "Name" column that we have declared in Figure 6 earlier.

Configure the Login Button. This login button will be shown at the Joget Login Screen to enable use to perform Single Sign On (SSO) using OKTA.

Image Modified

Figure 1519: Configure Login Button


Up to this point, we have successfully created app integration in Okta and configured the
SAML Service Provider Directory Manager - 8.0.0 plugin in Joget.

Performing Single Sign On

To login using this plugin, you have to logout from Joget. Go to Joget Login Page, you will see the following login screen with the login button to perform SSO using OKTA.

Info
titleLogin Screen

Login screen may differ as show below depending on the App Center but login button will be shown.


Figure 1620: Joget Login screen


Upon clicking on the blue login button, the user will be redirected to Okta.

Image Modified

Figure 21: OKTA Login Screen


Upon successfully login in Okta with your registered email you would be redirected back to Joget and will be logged in.

...