SSO using OKTA OpenID IN ANYPOINT PLATFORM
In this tutorial we will demonstrate on how we can Implement SSO using OKTA OpenID External Identity Provider for MuleSoft Anypoint Platform
To Start with first create an account on OKTA
https://developer.okta.com/signup
Activate your account and login into it
Your account will be setup with similar URL like – https://dev-6078239-admin.okta.com
Once login – go to API -> Authorization Servers
https://dev-6078239-admin.okta.com/admin/oauth2/as
Click on default
We can see two details Issuer and Metadata URI
- Issuer – https://dev-6078239.okta.com/oauth2/default
- Metadata URI – https://dev-6078239.okta.com/oauth2/default/.well-known/oauth-authorization-server
If we open the Metadata URI in browser we can see more details like issuer, authorization_endpoint and token_endpoint which will be needed in Anypoint Platform
{ "issuer": "https://dev-6078239.okta.com/oauth2/default", "authorization_endpoint": "https://dev-6078239.okta.com/oauth2/default/v1/authorize", "token_endpoint": "https://dev-6078239.okta.com/oauth2/default/v1/token", "registration_endpoint": "https://dev-6078239.okta.com/oauth2/v1/clients", "jwks_uri": "https://dev-6078239.okta.com/oauth2/default/v1/keys", "response_types_supported": [ "code", "token", "id_token", "code id_token", "code token", "id_token token", "code id_token token" ], "response_modes_supported": [ "query", "fragment", "form_post", "okta_post_message" ], "grant_types_supported": [ "authorization_code", "implicit", "refresh_token", "password", "client_credentials" ], "subject_types_supported": [ "public" ], "scopes_supported": [ "openid", "profile", "email", "address", "phone", "offline_access" ], "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" ], "claims_supported": [ "ver", "jti", "iss", "aud", "iat", "exp", "cid", "uid", "scp", "sub" ], "code_challenge_methods_supported": [ "S256" ], "introspection_endpoint": "https://dev-6078239.okta.com/oauth2/default/v1/introspect", "introspection_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" ], "revocation_endpoint": "https://dev-6078239.okta.com/oauth2/default/v1/revoke", "revocation_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" ], "end_session_endpoint": "https://dev-6078239.okta.com/oauth2/default/v1/logout", "request_parameter_supported": true, "request_object_signing_alg_values_supported": [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512" ] }
Now we will create an app for accessing OKTA server from Anypoint Platform
OKTA dashboard -> Click on Application
Click on add application and chose web
We have to provide below details
- Name – Name of the client app
- Base URIs – https://anypoint.mulesoft.com
- Logout redirect URIs – https://anypoint.mulesoft.com
- Login redirect URIs – https://anypoint.mulesoft.com/accounts/login/mulesy-107/redirect
We can get the Login redirect URIs from Anypoint platform
Click on user manual registration
Copy the redirect URI
Fill the details and click done
This will create the client app in OKTA with client credentials
Please note down the client id and secret
- Client id – 0oafvmn08ElEjRTyy5d5
- Client secret – y3MtvsUlKbEtRSwUOHpycxtryi5ZVsVkcQ1KLyzC
Now let’s fill the details in Anypoint platform
We need following details
- Client id – OKTA client app’s client id
- Client secret – OKTA client app’s client secret
- OpenID Connect Issuer – issuer in Metadata URI JSON
- Authorize URL– authorization_endpoint in Metadata URI JSON
- Token URL – token_endpoint in Metadata URI JSON
- User Info URL – change the token to userinfo in token endpoint
Click on create and now the identity provider -> external provider will come as enabled
Now let’s add a user in OKTA
Go to Users -> Add Person
We can see the new user now
Now we will use our Anypoint redirect URL to login to Anypoint platform
https://anypoint.mulesoft.com/accounts/login/mulesy-107
This will redirect us to OKTA login page
Provide the new username and credentials
We are able to login now in Anypoint Platform