Setting Up Single Sign-On (SSO) for Choreo Using Okta

In today’s digital world, juggling multiple usernames and passwords across different platforms can be a major headache. That’s where Single Sign-On (SSO) steps in as a game-changing solution, simplifying user authentication while boosting security. With SSO, users can access multiple applications using just one set of login credentials, making things more convenient and lowering the risk of password-related issues.

In this blog post, we’ll explore how to set up Okta as the Identity Provider (IdP) to enable seamless access to Choreo. I’ll walk you through a step-by-step process on how to configure SSO between Choreo and Okta, helping you create a smoother and more efficient user experience.

Prerequisites:

• An Okta account
• A Choreo account
• A PAY-AS-YOU-GO or ENTERPRISE subscription for Choreo【1】

Configuring Choreo with Okta

Step 1?? — Enable Enterprise Login

To start setting up Single Sign-On (SSO), first, enable the enterprise login feature in Choreo. This process is detailed in the documentation [2]. Contact the Customer Support (CS) team to activate this feature, and they will assist you with domain ownership validation and activation.

Identity settings for Choreo are managed through the Asgardeo console (https://console.asgardeo.io/), WSO2's IDaaS solution. After creating an organization in Choreo, a corresponding Asgardeo organization is automatically set up. When you log into the Asgardeo console, you will see an Asgardeo organization with the same handle.

Once enterprise login is enabled, you will find an application named WSO2_LOGIN_FOR_CHOREO_CONSOLE in the Asgardeo portal.

Step 2?? — Setting Up Okta

Create an Okta account following the steps outlined in [3]. For this guide, I’m using an Okta developer account, which offers the necessary functionality. Once your Okta account is set up, proceed with the following steps.

Start by creating an Application in your Okta account. Depending on your integration needs with Choreo, you can choose either OIDC or SAML. In this example, we'll use OIDC. Select Web Application as the Application type.

2. On the next screen, give the application a meaningful name and enter the Sign-in redirect URIs in the following format:

https://api.asgardeo.io/t/<asgardeo_organization_name>/commonauth

Replace <asgardeo_organization_name> with the appropriate organization name obtained from the Asgardeo console.

Ex: https://api.asgardeo.io/t/wso2cs/commonauth

3. Scroll down to the “Assignments” section in the application creation window. Configure user access based on your specific needs. For example, I’ve created a user group called “choreo_admin” and am selecting this group to restrict access to users within it. Alternatively, you can select multiple groups or choose the “Allow everyone in your organization to access” option, depending on your requirements.

You can create users and assign them to groups from the Okta console (Directory → People, Directory → Groups).

4. After saving the application, you will receive a Client ID and Client Secret. These credentials are required to register the IDP in the Asgardeo console.

5. Configure the group scope for the default Authorization Server.

The IDP must return the user's group attribute to map them to a role in Choreo, which determines the permissions assigned to the user in Choreo. For guidance, refer to the forum discussion documented in [8].

To set this up, go to the Okta console and navigate to Security → API. Find and edit the default authorization server. In the Scope tab, add the groups scope with the necessary configurations and save your changes.

Next, go to the Claims tab, click on Add Claims, and configure the settings as described below. After setting up the claims, save your changes.

Step 3?? — Register OpenID Connect identity provider in Asgardeo Console

Refer to the “Register the OIDC IdP” section of the documentation [4] for more details on this step.

Next, go to the Asgardeo Console and navigate to the Connections tab. Click Create Connection and select Standard-Based IdP. Enter a unique name for the identity provider, choose OpenID Connect, and click Next.

Provide the details of the Okta OIDC identity provider you configured earlier and click Next. To obtain the Okta domain, log in to the Okta portal. Your URL will look like the following; extract the domain from this URL.

https://<yourOktaDomain>/admin/dashboard        

Client ID and Client secret are the values obtained in the above step by creating the Application (Step 2?? — Setting Up Okta).

• Authorization endpoint URL [5]

https://<yourOktaDomain>/oauth2/default/v1/authorize        

• Token endpoint URL [6]

https://<yourOktaDomain>/oauth2/default/v1/token        

5. Provide the mode of certificate configuration. You can provide the JWKS endpoint which will take the following format [7].

https://<yourOktaDomain>/oauth2/default/v1/keys        

6. Click Finish to complete the registration.

7. In the connection settings tab make sure the configurations added are available.

9. Update the Connection.

Step 4?? — Configure Asgardeo Application

In the Asgardeo console (https://console.asgardeo.io/), navigate to the WSO2_LOGIN_FOR_CHOREO_CONSOLE application created by the Choreo team when enterprise login was enabled.

Configure User Attributes:

Ensure the following attributes are configured:

- Groups, Profile → First Name, and Profile → Last Name should be set as “Requested” attributes.

- Email should be set as a “Mandatory” attribute.

2. Configure a Sign-In Method

Navigate to the Sign-in Method tab in the WSO2_LOGIN_FOR_CHOREO_CONSOLE application. Select the Default Login option, which will take you to a view where you can see Username and Password as authentication options.

If needed, you can provide multiple login options. To change the authentication method, remove the Username and Password option, then click Add Authentication and select the Asgardeo connection you created in step 3.

3. Once all modifications are made, finalize the configuration by clicking the Update button.

4. Next, go to Attribute Management → Scopes → OpenID and add the attributes: email, groups, given_name, and family_name.

Step 5?? — Configure Choreo Platform

It is essential to map user permissions correctly. In Okta, user groups are categorized under Groups, and these should be matched with the corresponding roles in Choreo. Each role in Choreo has a specific set of permissions.

In the Choreo Console (https://console.choreo.dev/), go to the Organization Settings page.

2. Go to the Role Mapping tab and click Add Mapping.

3. Map the Okta groups to the roles in the Choreo console. This mapping allows you to assign different permissions to various user groups.

Login to Choreo Console

You can now test the login flow you've configured by following these steps:

1. Log out of the Choreo console.

2. Select Sign in with Enterprise ID as the login option.

3. Enter your email address (the user should be in Okta IDP).

4. You will be redirected to the Okta login page. Enter your username and password.

After completing these steps, you should be able to successfully log in to the Choreo Console.