Author: Vikas Parikh
Objective
Once MuleSoft RTF (Run Time Fabric) is installed on the underlying infrastructure (AWS/ Azure/ Customer Hosted environment), Ops Center is accessible through the admin credential available in the logs. However, the same credentials need to be shared to the entire team. This could be a security issue, hence what is required is an integration with IDM (such as OKTA) so that every team member can sign into the Ops Center with their specific credentials.
For the context of this document, we would install RTF onto AWS environment.
Prerequisite
- RTF installed on the AWS as per the guide: RTF installation for AWS
Okta Integration
- Proposed integration is SSO with SAML
Okta Set up
Group Set up
- Sign into Okta instance
- Navigate to Users → Groups
- Create a group named ‘admin’
- Allocate the required people to the ‘admin’ group
SAML Application Set up
- Switch to Classic UI dashboard
- Click ‘Add Applications’ on the right
- Click ‘Create New App’ on the right
- Select ‘Web’ Platform and ‘SAML 2.0’ Sign on Method as below:
- Click Create
- General Settings:
a)App Name: apisero-rtf-ops-center
b) App logo: Mulesoft logo
c) App Visibility: Private
These are Service Provider (SP) Initiated SAML SSO integration only. They could not be initiated from Identity Provider (IDP). No need to have apps icon in the user home screen of Okta.
Click on ‘Next’
- Configure SAML:
a) Single Sign On URL: https://<rtf_controller_public_dns>:32009/portalapi/v1/saml/callback
b) SP Entity ID:
c) Name ID Format: Unspecified
d) Application username: Email
e) Authentication context class: Unspecified
f) Groups Attribute Statements
Name: groups
Name Format: Unspecified
Filter: Matches regex
Value: admin
Click on ‘Next’
- Configure Feedback:
Click – ‘I’m a software vendor’
Click ‘Finish’
- An ‘apisero-rtf-ops-center’ app is configured as below:
- Navigate to Sign On → Sign On Methods → View Setup Instructions
- Okta SAML app configuration values are displayed, which are to be configured at the SP (Service Provider – Ops Center) end
a) SSO URL
b) Issuer
c) X.509 certificate (with which Assertion token is signed)
- Navigate to ‘Assignments’ under the app and click ‘Groups’
- Click ‘Assign’ and assign the admin group to the app
Ops Center Set up
- Login to Ops Center as per earlier Step #6
- Navigate to user name → settings
- Click ‘Auth Connectors’ and then ‘+ Create’
- Apply below connector configuration
kind: saml
version: v2
metadata:
name: Okta
spec:
acs: "https://<rtf_controller_public_dns_ip>:32009/portalapi/v1/saml/callback"
attributes_to_roles:
- {name: "groups", value: "admin", roles: ["@teleadmin"]}
display: Okta
issuer: "Okta issuer url extracted from Okta SAML Application Set up"
sso: "Okta sso url extracted from Okta SAML Application Set up"
cert: |
-----BEGIN CERTIFICATE-----
<info extracted from Okta SAML Application Set up>
-----END CERTIFICATE-----
- Only those Okta users which belong to admin group in Okta, will be able to sign into the Ops Center and they will be provisioned a role of @teleadmin
- Click ‘Save’
- Click Log out
Login with Okta
- Go to login page of the Ops Center
- ‘Login with Okta’ Button would now appear on the sign on screen
- Click ‘Login with Okta’
- You will be redirected to Okta login screen
- Provide valid Okta user credentials and click ‘Sign In’
- Ops Center dashboard appears with Okta user logged in email ID
- Okta integration concludes here
- Optionally, you can delete the ‘default’ admin user (as part of RTF installation set up) by navigating to user → settings → Users -> admin@runtime-fabric -> Actions -> Delete
With this, you will not be able to login to Ops Center with standard user.
The only login option would be to login with Okta.