Skip to content
Datawiza DocsDatawiza Docs
Ask Questionsopen in new window
Homeopen in new window
Sign Upopen in new window
  • Overview
    • Architecture
      • Prerequisites
        • Upgrading
            • Secure a Web App Using Auth0
              • Secure a Web App Using Azure AD
                • Secure a Web App Using Azure AD B2C
                  • One Click Integration With Azure AD
                    • Secure a Web App Using Azure AD SAML
                      • Secure a Web App Using Cognito
                        • Secure a Web App Using Github
                          • Secure a Web App Using Google
                            • Secure a Web App Using Google Workspace (previously G Suite)
                              • Secure a Web App Using Keycloak
                                • Secure a Web App Using Okta
                                  • Secure a Web App Using Okta SAML
                                    • Secure a Web App Using PingOne
                                      • Secure a Web App Using Twitter
                                        • Deploy Datawiza Access Proxy with a Web App using Kubernetes
                                          • Deploy Datawiza Access Proxy using Helm
                                            • Secure Multiple Web Apps Using Different IdPs
                                              • Secure a Web App Using Multiple IdPs
                                                • Enable B2B Single Sign-On (SSO) for a SaaS Application
                                                  • Preview
                                                    • Part I: Azure AD Configuration
                                                      • Part II: Okta Configuration
                                                        • Part III: Create Application on Datawiza Cloud Management Console (DCMC)
                                                          • Part IV: Run the DAP with the Sample Web Application "SaasPortal"
                                                            • Part V: Test the Application
                                                              • (Optional) Part VI: Pass User Attributes to the SaasPortal
                                                                • Conclusion
                                                              • FAQ

                                                                Enable B2B Single Sign-On (SSO) for a SaaS Application

                                                                timer iconAbout 4 min

                                                                On This Page
                                                                • Preview
                                                                • Part I: Azure AD Configuration
                                                                • Part II: Okta Configuration
                                                                • Part III: Create Application on Datawiza Cloud Management Console (DCMC)
                                                                • Part IV: Run the DAP with the Sample Web Application "SaasPortal"
                                                                • Part V: Test the Application
                                                                • (Optional) Part VI: Pass User Attributes to the SaasPortal
                                                                • Conclusion

                                                                # Preview

                                                                B2B single sign-on (SSO) is critical for SaaS applications serving enterprise customers. In this tutorial, we will use the Datawiza Access Proxy (DAP) to enable this functionality WITHOUT coding. For the tutorial, we assume a web application, "SaasPortal", has two enterprise customers. Acme Corp. is using Microsoft Azure AD as its SSO platform. Globex Corp. is using Okta.

                                                                We will show how to use the DAP to enable SSO for SaasPortal to serve these two customers. We'll use the DAP's sidecar deployment mode, which means the DAP and SaasPortal are running on the same server.

                                                                • SaasPortal will run on localhost:3001, and it implements the header-based authentication mechanism and reads user information via HTTP headers or JWT tokens.
                                                                • The DAP will run on localhost:9772, which means the traffic to the app will reach the DAP (running on port 9772) first and then be proxied to the SaasPortal application (running on port 3001).
                                                                • We will provide the docker images for the DAP and SaasPortal.

                                                                # Part I: Azure AD Configuration

                                                                The customer Acme Corp needs to register SaasPortal in the Microsoft Portalopen in new window and get the following values for this application:

                                                                • Client ID
                                                                • Client Secret
                                                                • Tenant Id

                                                                These values will later be used to set up the DAP in the Datawiza Cloud Management Console (DCMC). Please follow IdP Configuration Guide: Azure AD instructions on how to get those keys/values.

                                                                # Part II: Okta Configuration

                                                                Similarly, the customer Globex Corp needs to create an application on Okta and provide the following values:

                                                                • Client ID
                                                                • Client Secret
                                                                • Okta Org

                                                                These values are needed to set up the DAP in the Datawiza Cloud Management Console (DCMC). Please followIdP Configuration Guide: Okta instructions on how to get those keys/values.

                                                                # Part III: Create Application on Datawiza Cloud Management Console (DCMC)

                                                                1. Sign in to the Datawiza Cloud Management Consoleopen in new window.

                                                                2. Navigate to the Deployments page on the left menu, and then click the Create Deployment button deployments

                                                                3. In the Name and Description fields, enter the relevant information.

                                                                4. Select Create. create-deployment

                                                                5. Navigate to the Provisioning Keys tab, and then click the Create Provisioning Key button. provisioning-keys

                                                                6. In the Key Name and Expires fields, enter the relevant information. create-provisioning-key

                                                                7. Make a note of the Provisioning Key and Secret , you will need to use this key pair later. note-down-key

                                                                8. Navigate to Applications sub-tab, and then click the Create Application button. applications

                                                                9. In the Add Application dialog box, use the following values:

                                                                  PropertyValue
                                                                  PlatformWeb
                                                                  App NameEnter a unique application name. For example, you can use the SaasPortal.
                                                                  Public DomainApplication URL that end users will visit. For example: https://SaasPortal.example.com. For testing, you can use localhost DNS. Here we use http://localhost:9772.
                                                                  Listen PortThe port that DAP listens on. Here we use the 9772.
                                                                  Upstream ServersTheURL and port of your SaaS app. Here we use http://docker.host.internal:3001.
                                                                10. Select Create. create-application

                                                                11. Switch to the IdP Configuration tab, Click the Create IdP button under Domain Hint. b2b/idp-config

                                                                12. In the Add IdP dialog box, add an organization domain. Here we use acme. Select the Microsoft Azure Active Directory as Identity Provider. Switch off Automatic Generator. Enter all the information from Part II. Then click the Save button. create-acme-idp

                                                                13. We can now repeat the previous steps to create an Okta IdP. Click the Create idp under the Domain hint. Put all the information from Part I. This time we use globex as an organization domain. create-globex-idp

                                                                14. Your IdP configuration will now look like this. idp-finish

                                                                # Part IV: Run the DAP with the Sample Web Application "SaasPortal"

                                                                You need Docker to run the DAP. The following is an example docker-compose.yml file to run the DAP. You may need to log in to our container registry to download the image of the DAP and the sample web application, called "SaasPortal" in the docker-compose file. See Configure DAP and SSO Integration for more details. Replace marked #### with the recorded Provisioning Key and Secret from the previous step.

                                                                version: '3'
                                                                  services:
                                                                  datawiza-access-broker:
                                                                  image: registry.gitlab.com/datawiza/access-broker
                                                                  container_name: datawiza-access-broker
                                                                  restart: always
                                                                  ports:
                                                                  - "9772:9772"
                                                                  environment:
                                                                  PROVISIONING_KEY: #############################
                                                                  PROVISIONING_SECRET: #############################
                                                                
                                                                  SaasPortal:
                                                                  image: registry.gitlab.com/datawiza/header-based-app
                                                                  container_name: ab-demo-header-app
                                                                  restart: always
                                                                  ports:
                                                                  - "3001:3001"
                                                                
                                                                1
                                                                2
                                                                3
                                                                4
                                                                5
                                                                6
                                                                7
                                                                8
                                                                9
                                                                10
                                                                11
                                                                12
                                                                13
                                                                14
                                                                15
                                                                16
                                                                17
                                                                18

                                                                After executing docker-compose -f docker-compose.yml up -d in your terminal, the Datawiza Access Proxy and the SaasPortal should be up and running.

                                                                # Part V: Test the Application

                                                                Open a browser and type in http://localhost:9772. The login page of the SaasPortal should be shown: login-page

                                                                Click Sign in with SSO, and then input the organization domain acme. It will automatically redirect you to the Azure AD to login. sign-in-with-sso signin-azure

                                                                After entering the credentials, you should be able to login successfully and see the homepage of the SaasPortal. header-home

                                                                Now you can click the logout button and try to log in using OKTA. This time you input globex on the organization domain. After clicking the continue button, it will redirect you to Okta to login. signin-okta

                                                                After entering the credentials, you should be able to login successfully and see the homepage of the SaasPortal as well.

                                                                # (Optional) Part VI: Pass User Attributes to the SaasPortal

                                                                The DAP gets user attributes from IdP and can pass the user attributes to the application via header or cookie.

                                                                Please follow the instructions of Pass User Attributes to pass the user attributes to the SaasPortal, which is expecting:

                                                                • email
                                                                • firstname
                                                                • lastname

                                                                If you want to get user's groups, you need to add groups in custom claim. You can refer to Add Claims in ID Token for Azure AD and Create Claims in OKTAopen in new window for more details.

                                                                After successfully configuring the user attributes and adding groups in Okta claim and the DCMC configuration, you should see the green check sign for each of the user attributes as follows. home-page-with-headers

                                                                # Conclusion

                                                                In this tutorial, you learned how to use Datawiza to configure B2B SSO logins for a SaaS app using OKTA and Azure AD as the Identity Providers.

                                                                This is only a small example of what Datawiza can do. See Datawiza's online docsopen in new window or official websiteopen in new window for more information. Start a free trial today by signing up hereopen in new window!

                                                                Prev
                                                                Secure a Web App Using Multiple IdPs
                                                                You can also reach us on Discord
                                                                Copyright © 2022 Datawiza Technologies Inc