Set up OKTA SSO for an Anypoint API Community
- February 23, 2024
OKTA is one of the most renowned and widely used IdP, among all available in the market. An identity-as-a-service (IDaaS) platform, OKTA provides a centralized control for user authentication and authorization.
This article describes how to set up the OKTA Single Sign-on (SSO) capability with an API community developed using the MuleSoft’s API Community Manager (ACM) package, which is built on top of Salesforce.
Steps to configure the Okta SSO with the Anypoint API Community Manager
Prerequisites: The user configuring the SSO must have administrator rights for OKTA and Salesforce (ACM).
-
Log in to your OKTA account. Navigate to the OKTA admin dashboard and select Applications under the Applications tab
-
Select Browse App Catalog and choose Salesforce.com tile
-
Select the Add Integration option at the top-right corner of the page
-
Use an Application Label of your choice. (This example keeps the default Salesforce.com entry as is.) Select the environment from the picklist for which the SSO is being set up. (This example uses
the Production option.)
-
In the custom domain tab, provide the Salesforce Cloud custom domain of the organization (if the link for the Salesforce Cloud is
https://xyz.my.salesforce.com/, then the custom domain will be ‘xyz’)
To see your domain, navigate to the Setup page in Salesforce, search for My Domain in the Search tab and you’ll see the domain of your Salesforce instance. -
Select the profile Salesforce Community user — you can ignore the rest of the options available — click Next
- On the next page, select SAML 2.0 as the SSO method
-
Be sure Enable Single logout is enabled. Click the View Setup Instructions button; a tab containing the next steps for the configuration will open
(After clicking the option, a new window will open that contains a detailed description of the next steps for configuring the SSO.)- Log in to your Salesforce instance with the same credentials (that of an administrator) used for User Management settings in Okta
-
Click on the gear icon in the top right corner, then navigate to Setup → Identity → Single Sign-On Settings
-
Once the Single Sign-On Settings page is open in Salesforce, click Edit
-
Check the SAML Enabled box option to enable SAML Single Sign-On use, then click Save — as shown in the image below:
-
You’ll be redirected to the previous screen; click the New button
-
Enter the following — unless otherwise noted, leave the default values as they are:
- Name: Enter an identification name of your choice
- SAML version: This should be set to 2.0, as this is the required configuration (this option should be the default)
-
Issuer: Copy and paste the issuer token from the tab opened in the previous step (through the OKTA page): [Your token here]
- Identity Provider Certificate: You need to download and then upload the following certificate into this field; it can also be obtained from the previously opened tab [Your Certificate file here]
-
Identity Provider Login URL: Copy the value from the tab opened in the previous step [Your URL here]
This URL will be used to authenticate your users when they attempt to log in directly to Salesforce. This is required if you want to enable SP-Initiated SAML authentication. - Custom Logout URL: This field is optional; copy and paste the logout URL from the tab that opens [Your URL here]
- API Name: Give an API name of your choice, according to your needs
-
Entity ID: If you already have your custom domain set up with Salesforce, you should use https://{yourCustomDomain}.my.salesforce.com
Note: If a sandbox environment has been set up, you shouldn’t include .sandbox in the custom domain field
If you don’t have a custom domain setup, you should use https://saml.salesforce.com
-
Click Save
-
Click For Communities and follow the steps below:
- Save the Login URL value
- Save the Logout URL value
- Click Download Metadata
-
Navigate back to Okta:
- Go to the Advanced Sign-on Settings section and enter the Login URL value you copied in the step above into the corresponding field
- Enter the Logout URL value you copied in the step above into the corresponding field
- Check the Enable Single Logout option
-
Open the metadata file you downloaded from Salesforce in the step above and copy the ds:X509Certificate value — as shown in the image below — and paste it into the notepad
-
Add the following lines at the beginning and end of the copied data, respectively, in the notepad:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----The file being created should look similar to this:
-----BEGIN CERTIFICATE-----
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE----- - Save the file as slo.cert (creation of a certificate) and then upload it to the Signature Certificate field using the Upload option available.
-
Click Save
-
Open the Metadata URL displayed on the screen:
-
Copy your Identity Provider Single Logout URL as shown in the image below:
- Go back to Salesforce and edit the SAML entry you set up using the Edit option
- Check the Single Logout Enabled checkbox
- Paste your Identity Provider Single Logout URL into the Identity Provider Single Logout URL field on Salesforce page
-
Click Save
Done!
-
Copy your Identity Provider Single Logout URL as shown in the image below:
- After you complete the steps in the documentation, configure Oauth and REST integration between OKTA and Salesforce. To do this, go back to Salesforce and search for App Manager in the Setup screen’s search tab
-
Select New Connected App and give this connected app a name and fill in the contact details
- Tick the Enable Oauth Settings checkbox
- Paste https://system-admin.okta.com/admin/app/generic/oauth20redirect in the callback URL section
-
Add the following to the Selected OAuth Scopes:
- Manage user data via APIs (api)
- Perform requests at any time (refresh_token, offline_access)
- Select Require secret for Web server flow and Require secret for Refresh token flow; everything else remains the same
- Click Save; it may take about 10 minutes for the changes to reflect
- Click continue
-
Click Manage Consumer Details under the API (Enable OAuth Settings) section to save the connected app credentials. Copy the consumer key and secret shown on
the next screen and save them somewhere safe.
- Click manage at the top, then edit policies and select Refresh token valid until revoked
-
Head to the OKTA and click Provisioning, then click Configure API Integration → Enable API Integration
-
Paste the Consumer key and secret that you previously saved (step 17), then click Authenticate with Salesforce.com and click Allow
(If you’re asked to log in, use your admin credentials. If it doesn’t log in using test.salesforce.com, then click Use Custom Domain and input your org domain. You’ll be able to log in.) -
Click Save
-
Go back to the App Manager in Salesforce and select the View option for the created connected app. Select
Manage → Edit Policies → Check Enable user provisioning → click Save
-
Go back to OKTA. Navigate to the Provisioning tab and click Edit. Enable Create Users and set the Salesforce Account ID of the ACM user’s account.
(You can get this by going to Salesforce → Accounts App → Select the ACM user account to get the ID.) -
Enable Update user attributes and Deactivate Users
- Click Save
- Under Provisioning select To Okta and click Edit
-
Select the options shown in the image below and click Save
After following these steps, the Okta SSO setup is complete. Now you must assign apps to different users or groups based on your needs. Navigate to the Assignments tab and click Assign. Next, select either Assign to People or Assign to Groups and click Assign. On the next screen, assign the Profile to the user. Multiple ser configuration options are available. After filling in all the details, click Save.
To check whether the setup is successful, navigate back to the End user Dashboard in Okta. Click the Salesforce App tile and see if you can successfully log in to your community. If yes, then the setup was successful and you can easily manage the users in Okta and your users can easily log in to your community with the SSO feature.
— By Vikrant Kumar