How to use the SAML module with IDP Okta.
An Identity Provider is a system entity that creates, maintains, and manages identity information, normally for user authentication. People try to use IDP’s more often since the technology is helpful for external users with no dependencies on LDAP authentication.
There are many open-source IDPs that you can try such as Shibboleth, Keycloak, and more. However, I would decided to use the Okta developer environment because it is easy to use and we do not need to configure as many settings to use it.
Let’s take a look at the SAML protocol in an overview picture below.
I start with Mendix 8.15, using a blank web application template. Next, I install 2 modules: MxModelReflection and SAML2.0
Next I set security the security level to production mode.
Also I give the Administrator user role access to the SAML module’s administrator role.
Now I configure my first module with 2 user roles.
And set the app constant DefaultLoginPage in the SAML module to be login.html.
In the navigation menu, I give the Administrator access to the MxModelReflection and SAML module overview pages. Also giving the admin access to manage user accounts.
Now I have to run my app locally and sync the reflection data for all modules.
Back to the SAML page, I configure it as shown below.
After completing the settings for SAML, I click “Download SP Metadata” to get the XML file, which also contains your SP ID.
The SSO information below is important to keep with IDP okta.
At this point, I have the SP ID and the SSO assertion URL.
Let’s go to OKTA for the configuration. Make sure that OKTA developer UI is set to Classic UI mode.
Now I am able to create a new web application with the SAML protocol in OKTA.
Your SP ID should be required in this section below.
This section below is the assertion data that will allow IDP to create a user account inside your app’s $Account or $User entity after a successful login.
When the setting is finished, I’m navigated to this page. From this page, I am able to see the identity provider’s metadata for SSO.
The format would be like this.
We need to use this URL inside the Mendix application to set up an IDP Configuration within the SAML module.
Now let’s move on to the Mendix application.
The alias name is important and should be unique. There is no validation in this field, just remember that it should not be duplicated.
For “Request Authn Context” tab, I configure it like below.
At the “Provisioning” tab, the setting should look like this.
For the mapping tab, you should create a field that able to match with the OKTA IDP attributes.
This is all for the IDP configuration in Mendix.
Go back to the OKTA application and assign the application for groups or users.
Now let’s test the application.
My Mendix app has no user login’s yet
Login to the okta dashboard via the user which you have assigned in the previous step.
Click on the PoC app.
This error occurs because of missing ids. Press on try again
You are in
Now back to okta web, we need to solve an id missing.
You need to add the alias name to the default SSO login in the okta application, the format should be like this /SSO/login/{aliasname}
Then try again.
From the publisher -
If you enjoyed this article you can find more like it at our medium page or at our own community blog site.
For the makers looking to get started, you can sign up for a Free account, and get instant access to learning with our academy.
Interested in getting more involved with our community? You can join us in our slack community channel or for those who want to be more involved, look into joining one of our meet-ups.
