These instructions will guide you through setting up a SAML-based SSO Tyk-Dashboard access using the internal TIB and Okta as an IDP.
Requirements
- An Okta developer account
Configure Tyk Internal TIB
On the Tyk dashboard, go to identity management and click on create profile. Next, on the create new profile page, switch to Raw Editor and remove all json.
Below includes an example of a working profile configuration that will help create your own TIB profile.
- Copy and paste into raw settings, and make the necessary changes to reference your environment, ID, Org-ID, URLs, etc.
Raw Settings
{
"ID": "saml-sso-dash", <--Application ID
"Name": "",
"OrgID": "612fc4695653740001a14f9b",
"ActionType": "GenerateOrLoginUserProfile",
"MatchedPolicyID": "",
"Type": "redirect",
"ProviderName": "SAMLProvider",
"CustomEmailField": "",
"CustomUserIDField": "",
"ProviderConfig": {
"CertLocation": "Your cert ID",
"FailureRedirect": "https://immense-injoke-adm.aws-usw2.cloud-ara.tyk.io/?fail=true",
"ForceAuthentication": false,
"IDPMetaDataURL": "https://dev-34708156.okta.com/app/exk2vs2vm01oU4SFj5d7/sso/saml/metadata",
"SAMLBaseURL": "https://immense-injoke-adm.aws-usw2.cloud-ara.tyk.io",
"SAMLEmailClaim": "NameID",
"SAMLForenameClaim": "Fname",
"SAMLSurnameClaim": "Lname"
},
"IdentityHandlerConfig": {
"DashboardCredential": "Your dashboard credentials"
},
"ProviderConstraints": {
"Domain": "",
"Group": ""
},
"ReturnURL": "https://immense-injoke-adm.aws-usw2.cloud-ara.tyk.io/tap",
"DefaultUserGroupID": "",
"CustomUserGroupField": "",
"UserGroupMapping": {}
}
Note: The CertLocation refers to the certificate ID generated from a certificate you will
upload to the Tyk Dashboard -> Certificates. However, before uploading to the dashboard, the
certificate and private key must be in one file with the certificate and private key concatenated.
See the example below.
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
cat cert.pem key.pem >> combine_cert.pem
See VIdeo for instructions on how to upload a certificate to the tyk-dashboard and apply it to the tib profile.
Configuring Okta
Step: 1
- Once signed into Okta with your dev account, in Applications, click on create App Integration
- Next select SAML 2.0 and click Next.
- In General settings, add an App name, and click next.
Step:2 - Configure SAML
In Saml settings, use the example below to help add your tyk-dashboard URLS in the required fields.
Next, mirror the ATTRIBUTES STATEMENTS below; you must map them to the claim fields in the TYK TIB profile (see the profile above).
SAMLEmailClaim -> Email
SAMLForenameClaim -> Fname
SAMLSurnameClaim -> Lname
Once finished configuring Okta Saml, click next.
Note: For more information on SAML and fields please refer to Link
3: Feed Back
Click Finish
After creating the Okta SAML application, navigate to the Sign On tab, click on the Identity Provider metadata link.
Copy the URL link from the browser's address bar and map to the IDPMetaDataURL field in the Tyk TIB profile.
Finally Test SSO -
https://immense-injoke-adm.aws-usw2.cloud-ara.tyk.io/auth/saml-sso-dash/SAMLProvider
https://Your dashboard url/auth/your application id/SAMLProvider
Comments
0 comments
Please sign in to leave a comment.