Integrate the SAML 2.0 protocol to OMS to implement SSO

This topic describes how to create an Okta application integration that uses the Security Assertion Markup Language (SAML) 2.0 protocol and update settings of OceanBase Migration Service (OMS) to implement single sign-on (SSO).

Limitations

At present, you can configure only one server for SSO login to OMS over the SAML 2.0 protocol.

Configurations in Okta

1. Create an Okta application integration that uses the SAML 2.0 protocol.

   1. Log in to the Okta console.

   2. In the left-side navigation pane, choose Applications > Applications.

   3. On the Applications page, click Create App Integration.

      

   4. In the Create a new app integration dialog box, select SAML 2.0 and click Next.

      

2. On the General Settings page, specify App name and click Next.

3. On the SAML Settings page, specify the following parameters and click Next.

   

   Parameter	Description
   Single sign-on URL	The SSO URL in the format of http://<ip>:<port>/omsp/saml/SSO. The <ip> and <port> fields correspond to the IP address and port number of the OMS endpoint, respectively. Do not select Use this for Recipient URL and Destination URL.
   Recipient URL	The URL of the recipient. Enter http://localhost:8090/omsp/saml/SSO.
   Destination URL	The URL of the target. Enter http://localhost:8090/omsp/saml/SSO.
   Audience URI (SP Entity ID)	The custom ID of the service provider (SP). The ID must be consistent with the value of the system parameter oms.auth.saml2.entity-id of OMS.

4. On the Feedback page, click Finish.

Configurations in OMS

Modify system parameters

1. Log in to the OMS console with an account that has ROOT permissions.

2. In the left-side navigation pane, choose System Management > System Parameters.

3. Click the edit icon in the Value column of the parameter that you want to modify.

   

   You need to modify the following parameters of the SSO module: oms.auth.saml2.entity-id, oms.auth.saml2.metadata-provider, oms.auth.saml2.certificate, oms.auth.sso-login-url, and oms.auth.saml2.redirect-url.

4. In the Modify Value dialog box, set Value.

   The correspondence between the preceding OMS system parameters and the Okta SAML 2.0 application parameters is described as follows:

   • oms.auth.saml2.entity-id: the entity ID of OMS used in the SAML 2.0-based authentication service. The value must be consistent with that of the Audience URI (SP Entity ID) parameter of the Okta SAML 2.0 application.

   • oms.auth.saml2.metadata-provider: the metadata URL of the SAML 2.0-based authentication service. The value must be consistent with that of the Metadata URL parameter of the Okta SAML 2.0 application.

     

   • oms.auth.saml2.certificate: the certificate used by OMS to verify the information returned by the SAML 2.0-based authentication service. The value must be consistent with that of the Signing Certificate parameter of the Okta SAML 2.0 application.

     

   • oms.auth.sso-login-url: the SSO URL of OMS used in the SAML 2.0-based authentication service. The value must be consistent with that of the Single sign-on URL parameter of the Okta SAML 2.0 application.

   • oms.auth.saml2.redirect-url: the OMS URL to which the user is redirected after its identity is authenticated by the SAML 2.0-based authentication service. The value is in the format of http://<ip>:<port>/oms-v2. The <ip> and <port> fields correspond to the IP address and port number of the OMS endpoint, respectively.

5. Click OK.

Modify system configuration

1. Log in to the OMS container that resides on the server whose IP address is specified by the oms.auth.sso-login-url parameter.

   docker exec -it ${CONTAINER_NAME} bash
   

   Notice

   CONTAINER_NAME specifies the name of the container.

2. Edit the application-oms.properties file in the /home/ds/ghana/config/ directory.

3. Change oms.iam.auth=LOCAL to oms.iam.auth=SAML2.

4. Run the following command in the container to restart the management service.

   supervisorctl restart oms_console