Hybris Backoffice with Okta
Hybris Backoffice with Okta
Embedded Files
For many organizations, Active Directory (AD) or LDAP is crucial for managing identity and access policies. Okta's cloud-based identity and access management service simplifies this by offering a single integration point that ensures high availability for all cloud and web-based applications.
To integrate Okta with SAP Hybris Backoffice (now known as SAP Commerce Cloud) for Single Sign-On (SSO), follow these high-level steps for seamless authentication and user management:
Configure Okta as an Identity Provider:
Log into the Okta portal (refer to your developer account for detailed instructions).
Set up Okta as the Identity Provider to handle authentication requests.
Integrate Okta with SAP Hybris:
Configure SAP Hybris to recognize and utilize Okta for SSO.
Input the Okta configuration details into SAP Hybris to enable the integration.
Configure Okta as an Identity Provider
Configure Okta as an Identity Provider
Log in to your Okta dashboard. We are referring developer account for okta. It is free and developer POC perspective. you can refer below URL for account creation. After account creation, you can login in Okta dashboard.
https://developer.okta.com/signup/
Create an Okta Application:
Navigate to Applications and click create App Integration. Then select SAML 2.0 as the sign-on method and configure the SAML Application in the General Settings tab, enter a name for your integration like SAML-POC then click on next button.
On the Configure SAML tab, enter the details like below
Single Sign on URL: This is the URL where Okta will send the SAML authentication requests. like https://<domain-url>/samlsinglesignon/saml/SSO
Audience Restriction: This is a unique identifier for the SAP Hybris application, such as urn:ssoextension:hybris:de
Default Relay State : if you have a specific landing page for post-login then use that url such as https//:<domain-url>/samlsinglesingon/saml/backoffice
In the Attribute Statements section, it need to configure the attributes that Okta will send to Hybris. enter the SAML attributes to be shared with Hybris application like below example name & values
id : user.email
firstName : user.firstName
lastName : user.lastName
In the Group Attribute Statements section enter group name and filter name like below sample values
usergroup : admingroup
Once you complete the SAML settings, save the configuration. Okta will provide an Identity Provider metadata XML file or URL that you will need to configure in SAP Hybris.
While in a production environment users and groups are usually pre-configured, creating and managing these elements in a developer account is essential for testing SSO integration effectively. By setting up users and groups in your Okta developer account, you can simulate real-world scenarios and ensure that your SSO configuration is functioning correctly before going live.
Integrate Okta with SAP Hybris
Integrate Okta with SAP Hybris
Here's a step-by-step guide to creating a custom extension using the yempty template and integrating the SAMLSSOBackoffice extension, including all the necessary details and commands:
1. Create a Custom Extension Using the yempty Template
Generate the Custom Extension: Open a terminal and navigate to your Hybris installation directory. Run the following command to create a new extension using the yempty template:
ant extgen
This will create a new extension called customsamlsso based on the yempty template.
2. Add custom extension in localextensions.xml.
Setting up the samlsinglesignon extension, you need to add “samlsinglesignon” extension in localextensions.xml.
<extensions>
<path dir='${HYBRIS_BIN_DIR}' autoload='false' />
......
<extension name="samlsinglesignon"/>
<extension name="customsamlsinglesignon"/>
.....
</extensions>
3. Include SAMLSSOBackoffice Extension in extensioninfo.xml
open the extensioninfo.xml File of the customsamlsso extension directory and add extension like below
<requires-extension name="samlssobackoffice"/>
4. Copy Metadata and Certificate into the Security Folder
Copy the Okta metadata and certificate files into the security folder of your customsamlsso extension. The path should be: (security folder need to create below locatio)
<HYBRIS_INSTALLATION>/custom/customsamlsso/web/webroot/WEB-INF/security/
Place the files and ensure that the metadata files and certificate (okta.cert) are copied into this directory.
5. Add the Okta Certificate to the Keystore
find the existing samlKeystore.jks file in below location and copy this file and paste in customsamlsso security folder
<HYBRIS_INSTALLATION>/bin/modules/platform/samlsinglesignon/web/webroot/WEB-INF/security
Import the Okta Certificate: Use the keytool command to import the Okta certificate into the samlKeystore.jks file. Run the following command from a terminal:
keytool -importcert -alias okta -file <path_to_your_okta_certificate>/okta.cert -keystore
(Ensure the private key password is set to “changeit.”)
6. Configure Extension Properties in project.properties:
sso.metadata.location=${HYBRIS_BIN_DIR}/custom/customsamlsinglesignon/web/webroot/WEB-INF/security/metadata.xml
#KeyStore configs
sso.keystore.location=file:${HYBRIS_BIN_DIR}/custom/customsamlsinglesignon/web/webroot/WEB-INF/security/samlKeystore.jks
sso.keystore.privatekey.alias=hybris
sso.keystore.default.certificate.alias=hybris
sso.keystore.password=changeit
sso.keystore.privatekey.password=changeit
#SAML Attributes
sso.firstname.attribute.key=firstName
sso.lastname.attribute.key=lastName
sso.userid.attribute.key=id
sso.language.attribute.key=Language
#SAML group mapping
sso.mapping.admingroup.enableBackofficeLogin=true
sso.mapping.admingroup.usertype=Employee
sso.mapping.admingroup.groups=admingroup
backoffice.cockpitng.login.singlesignon.redirect=../samlsinglesignon/saml/backoffice
sso.entity.id=urn:ssoextension:hybris:de
sso.cookie.name=LoginToken
backoffice.success.logout.url=/../samlsinglesignon/saml/logout
7. Build and Restart Hybris: After making these changes, build and restart your Hybris server to apply the updates.
8. Add SAML mapping in BackOffice :
When we open Backoffice we can see new link in "Login with sign on". It is use for Single sign on. but before click on it, we need to configure SAML Mapping in Backoffice. we will login with normal way and find SAML mapping in back office and add Okta group mapping with Hybris group. like below screen.
Logging In with Okta SSO Integration
Logging In with Okta SSO Integration
After configuring group mappings, you will need to log out of the Backoffice to test the SSO (Single Sign-On) integration with Okta. Here’s how you can verify the login process:
Log Out of Backoffice and Initiate Login via Okta:
On the Backoffice login screen, select the option to "Login with Single Sign-On" (or similar depending on your setup). This action will redirect you to the Okta login page.
Authenticate with Okta:
Enter your Okta user ID and password on the Okta login page. If you are already logged in to Okta, you will be automatically authenticated and redirection to Backoffice:
Upon successful authentication, Okta will redirect you back to the Backoffice dashboard.
You should now be logged in and able to access the Backoffice functionalities.
By following these steps, you can confirm that the SSO integration with Okta is functioning as expected. If you encounter any issues, verify your Okta configuration and ensure that the user and group mappings are correctly set up.
Page updated
Google Sites
Report abuse