Integrating PicketLink with OKTA for SAML based SSO

JBoss Application Server ships with PicketLink module for enabling SAML based SSO. PicketLink is an open source module and it is SAML v2.0 complained, for more information about ‘PicketLink’ please visit picketlink.org.

Now the requirement is to enable SAML based SSO in JBoss Application Server where IDP is OKTA.

Before we start enabling this, one should have an OKTA organization, a free developer organization can be created here.

If you already have an OKTA organization, you need to set up a SAML application by following the steps below.

  1.  Login into your OKTA organization and click on “Admin”.
  2. Click on Applications.
  3. Add a new application.
  4. Create a new application.
  5. Keep the Platform as the web and select sign method as SAML 2.0 and click on create.
  6.  Give your application a name and click on next.
  7.  In this section, you need to do your SAML configuration.
  8. Note: Here we are not using any advanced setting, if you want your assertion to be signed and encrypted you can check in the advanced settings.
  9.  Once done, click on finish. For more information, you can refer to OKTA documentation.
  10.  Coming to the part of the PicketLink configuration, you have to be aware of your SP and IDP URL, you can find your IDP url from OKTA by following the steps below.
    • Navigating into application into your newly created application.
    • Navigate to “Sign On” tab and click “View Setup Instruction” and you will find “Identity Provider Single Sign-On URL”.
  11. In the JBoss application server end, you can try with this application, here you just need to change the IDP url in picketlink.xml and use OKTA URL which you received in the previous step, you also need to change the SP url (https://localhost:8443/picketlink-enc/). Make sure that context-root is set as “picketlink-enc” in jboss-web.xml .
  12.  To login into the application, you need to assign users in OKTA for the application you have created.
  13. Now you can get access to your application (https://localhost:8443/picketlink-enc/) authenticating via OKTA.

Click here and quickly get started with the JBoss EAP download.


Join the Red Hat Developer Program (it’s free) and get access to related cheat sheets, books, and product downloads.

Share