Set up OKTA SSO for an Anypoint API Community

  • February 23, 2024

OKTA is one of the most renowned and widely used IdP, among all available in the market. An identity-as-a-service (IDaaS) platform, OKTA provides a centralized control for user authentication and authorization.

This article describes how to set up the OKTA Single Sign-on (SSO) capability with an API community developed using the MuleSoft’s API Community Manager (ACM) package, which is built on top of Salesforce.

Steps to configure the Okta SSO with the Anypoint API Community Manager

Prerequisites: The user configuring the SSO must have administrator rights for OKTA and Salesforce (ACM).

  1. Log in to your OKTA account. Navigate to the OKTA admin dashboard and select Applications under the Applications tab

    anypoint-okta-1.png

    anypoint-okta-2.png

  2. Select Browse App Catalog and choose Salesforce.com tile

    anypoint-okta-3.png

  3. Select the Add Integration option at the top-right corner of the page

    anypoint-okta-4.png

  4. Use an Application Label of your choice. (This example keeps the default Salesforce.com entry as is.) Select the environment from the picklist for which the SSO is being set up. (This example uses the Production option.)

    anypoint-okta-5.png

  5. In the custom domain tab, provide the Salesforce Cloud custom domain of the organization (if the link for the Salesforce Cloud is https://xyz.my.salesforce.com/, then the custom domain will be ‘xyz’)

    To see your domain, navigate to the Setup page in Salesforce, search for My Domain in the Search tab and you’ll see the domain of your Salesforce instance.
  6. Select the profile Salesforce Community user — you can ignore the rest of the options available — click Next

    anypoint-okta-6.png

  7. On the next page, select SAML 2.0 as the SSO method
  8. Be sure Enable Single logout is enabled. Click the View Setup Instructions button; a tab containing the next steps for the configuration will open

    anypoint-okta-7.png

    anypoint-okta-8.png

    (After clicking the option, a new window will open that contains a detailed description of the next steps for configuring the SSO.)
    • Log in to your Salesforce instance with the same credentials (that of an administrator) used for User Management settings in Okta
    • Click on the gear icon in the top right corner, then navigate to Setup → Identity → Single Sign-On Settings

      anypoint-okta-9.png

    • Once the Single Sign-On Settings page is open in Salesforce, click Edit

      anypoint-okta-10.png

    • Check the SAML Enabled box option to enable SAML Single Sign-On use, then click Save — as shown in the image below:

      anypoint-okta-11.png

    • You’ll be redirected to the previous screen; click the New button

      anypoint-okta-12.png

    • Enter the following — unless otherwise noted, leave the default values as they are:
      • Name: Enter an identification name of your choice
      • SAML version: This should be set to 2.0, as this is the required configuration (this option should be the default)
      • Issuer: Copy and paste the issuer token from the tab opened in the previous step (through the OKTA page): [Your token here]
        • Identity Provider Certificate: You need to download and then upload the following certificate into this field; it can also be obtained from the previously opened tab [Your Certificate file here]
        • Identity Provider Login URL: Copy the value from the tab opened in the previous step [Your URL here]
          This URL will be used to authenticate your users when they attempt to log in directly to Salesforce. This is required if you want to enable SP-Initiated SAML authentication.
        • Custom Logout URL: This field is optional; copy and paste the logout URL from the tab that opens [Your URL here]
        • API Name: Give an API name of your choice, according to your needs
        • Entity ID:  If you already have your custom domain set up with Salesforce, you should use https://{yourCustomDomain}.my.salesforce.com
          Note: If a sandbox environment has been set up, you shouldn’t include .sandbox in the custom domain field
          If you don’t have a custom domain setup, you should use https://saml.salesforce.com
    • Click Save

      anypoint-okta-13.png

    • Click For Communities and follow the steps below:
      • Save the Login URL value
      • Save the Logout URL value
      • Click Download Metadata

      anypoint-okta-14.png

    • Navigate back to Okta:
      • Go to the Advanced Sign-on Settings section and enter the Login URL value you copied in the step above into the corresponding field
      • Enter the Logout URL value you copied in the step above into the corresponding field
      • Check the Enable Single Logout option
      • Open the metadata file you downloaded from Salesforce in the step above and copy the ds:X509Certificate value — as shown in the image below — and paste it into the notepad

        anypoint-okta-15.png

      • Add the following lines at the beginning and end of the copied data, respectively, in the notepad:

        -----BEGIN CERTIFICATE-----
        -----END CERTIFICATE-----

        The file being created should look similar to this:

        -----BEGIN CERTIFICATE-----
        Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        -----END CERTIFICATE-----

      • Save the file as slo.cert (creation of a certificate) and then upload it to the Signature Certificate field using the Upload option available.
      • Click Save

        anypoint-okta-16.png

      • Open the Metadata URL displayed on the screen:

        anypoint-okta-17.png

        • Copy your Identity Provider Single Logout URL as shown in the image below:

          anypoint-okta-18.png

        • Go back to Salesforce and edit the SAML entry you set up using the Edit option
        • Check the Single Logout Enabled checkbox
        • Paste your Identity Provider Single Logout URL into the Identity Provider Single Logout URL field on Salesforce page
        • Click Save

          anypoint-okta-19.png

        Done!

  9. After you complete the steps in the documentation, configure Oauth and REST integration between OKTA and Salesforce. To do this, go back to Salesforce and search for App Manager in the  Setup screen’s search tab
  10. Select New Connected App and give this connected app a name and fill in the contact details

    anypoint-okta-20.png

  11. Tick the Enable Oauth Settings checkbox
  12. Paste https://system-admin.okta.com/admin/app/generic/oauth20redirect in the callback URL section
  13. Add the following to the Selected OAuth Scopes:
    • Manage user data via APIs (api)
    • Perform requests at any time (refresh_token, offline_access)

    anypoint-okta-21.png

  14. Select Require secret for Web server flow and Require secret for Refresh token flow; everything else remains the same
  15. Click Save; it may take about 10 minutes for the changes to reflect
  16. Click continue
  17. Click Manage Consumer Details under the API (Enable OAuth Settings) section to save the connected app credentials. Copy the consumer key and secret shown on the next screen and save them somewhere safe.

    anypoint-okta-22.png

  18. Click manage at the top, then edit policies and select Refresh token valid until revoked
  19. Head to the OKTA and click Provisioning, then click Configure API Integration → Enable API Integration

    anypoint-okta-23.png

  20. Paste the Consumer key and secret that you previously saved (step 17), then click Authenticate with Salesforce.com and click Allow

    (If you’re asked to log in, use your admin credentials. If it doesn’t log in using test.salesforce.com, then click Use Custom Domain and input your org domain. You’ll be able to log in.)
  21. Click Save

    anypoint-okta-24.png

    anypoint-okta-25.png

  22. Go back to the App Manager in Salesforce and select the View option for the created connected app. Select  Manage → Edit Policies → Check Enable user provisioning → click Save

    anypoint-okta-26.png

  23. Go back to OKTA. Navigate to the Provisioning tab and click Edit. Enable Create Users and set the Salesforce Account ID of the ACM user’s account.
    (You can get this by going to Salesforce → Accounts App → Select the ACM user account to get the ID.)

    anypoint-okta-27.png

  24. Enable Update user attributes and Deactivate Users

    anypoint-okta-28.png

  25. Click Save
  26. Under Provisioning select To Okta and click Edit
  27. Select the options shown in the image below and click Save

    anypoint-okta-29.png

After following these steps, the Okta SSO setup is complete. Now you must assign apps to different users or groups based on your needs. Navigate to the Assignments tab and click Assign. Next, select either  Assign to People or Assign to Groups and click Assign. On the next screen, assign the Profile to the user. Multiple ser configuration options are available. After filling in all the details, click Save.

To check whether the setup is successful, navigate back to the End user Dashboard in Okta. Click the Salesforce App tile and see if you can successfully log in to your community. If yes, then the setup was successful and you can easily manage the users in Okta and your users can easily log in to your community with the SSO feature.

— By Vikrant Kumar