WSO2 API Manager Portal OIDC SSO with WSO2 Identity Server 7.0.0
Hello Geeks!!! πππ
Today, Iβll explain how to configure the SSO for the publisher and devportal by using the WSO2 Identity Server 7.0.0 version.
As you know, WSO2 API Manager is the worldβs leading open-source, enterprise-grade API management platform for on-premises, cloud, and hybrid architectures.
The WSO2 API Manager 4.x.x versions support the SSO integrations with external identity providers to authenticate the user from that external IDP and gain access to the API Manager portals.
Letβs understand the use case that we are trying to achieve today. πππ
Letβs assume that you have deployed the WSO2 API Manager 4.x.x version. Now you need to integrate the WSO2 Identity Server 7.0.0 version with the API Manager for the SSO authentication purpose when logging to the publisher portal and devportal.
So, how we can achieve this? π€π€π€
OK. Letβs do it like a BOSS πππ
Below are the steps that we need to complete to achieve this. For this use case, Iβll take the WSO2 API Manager 4.4.0 version and the WSO2 Identity Server 7.0.0 version. (You can use any APIM 4.x.x version for this)
- Configure an SP at the IS 7.0.0 level
- Configure an IDP at the APIM 4.4.0 version
- Getting the groups claim (OIDC flow) and then doing the role mapping
- Enable the JIT provisioning
- Configure the IDP for the publisher and devportal service providers
- Exchange public certificates
Configure an SP at the IS 7.0.0 level
- Download the WSO2 Identity Server 7.0.0 distribution through the official link [1].
Also if you have a valid WSO2 subscription, then you can download the latest updates to the product by using the update 2.0 channel. For more information, please refer to the documentation [2]
- Open the deployment.toml file under the <IS_HOME>/repository/conf directory.
- Add the offset value to run the IS server in a different port (Because we are going to run both the IS and the APIM server on the same machine)
[server]
hostname = "localhost"
node_ip = "127.0.0.1"
offset=1
base_path = "https://$ref{server.hostname}:${carbon.management.port}"
In this case, the Identity Server will offset all the ports by 1 and hence, the management console port should be 9444.
- Save the file and start the Identity Server.
- Log into the new carbon console. (https://localhost:9444/console)
- Select Applications on the left navigation menu.
- Select + New Application button.
- On the next page, select Traditional Web Application.
- On the next page, give the below values for fields.
Name: IS7OIDCSSO
Protocol: OpenID Connect
Authorized redirect URLs: https://localhost:9443/commonauth
- Then click on the Create button to create the service provider.
Once we created the application, we can see the General page of the application as below.
- After creating the application, select the User Attributes tab of the application and select the Groups claim under the User Attribute Selection section.
- Under the Subject section, select the Assign alternate subject identifier option and select the Username claim from the dropdown. (This claim will use to create the username when performing the JIT provision at the API Manager level)
- After this, we can click on the Update button at the bottom of the page.
- Now go to the Protocol tab of the application and get the Client ID and the Client Secret values. These are required when creating the Identity Provider (IDP) at the API Manager level. πππ
After the above steps, we need to add the groups claims to the OpenID scopes to send the groups of the user to the API Manager side for the JIT provisioning process based on the userβs claims. For that, we can follow the below steps.
- Expand the User Attributes and Stores section on the left navigation menu and click on the Attributes option.
- On the next page, select OpenID Connect under the Manage Attribute Mappings section.
- After this, we can see a page similar to the below one.
- Now click on the Scopes button at the top of the page.
- On the next page, click on the Open ID option under the OpenID Connect Scopes section.
On the next screen, we can see a page similar to the below one.
- Click on the + New Attribute button under the Manage Attributes section.
- Then search the Groups attribute and add it.
- Finally, click on the Save Changes button.
Now we have almost completed the configurations at the Identity Server level. Finally, letβs create some user profiles and groups. In this case, we are not going to use roles and we are using only groups when comes to the WSO2 Identity Server 7.0.0 version because the groups and roles separation is there. Hence, the user will not get the roles through the groups.
Since we are going to configure the SSO with the WSO2 Identity Server 7.0.0 version for both the publisher portal and the devportal in the API Manager, we are going to create 3 groups as below.
TEST_CREATOR_GROUP
TEST_PUBLISHER_GROUP
TEST_SUBSCRIBER_GROUP
Right, So letβs move with the final steps at the Identity Server level.π€π€π€
- In the carbon console of the Identity Server, expand the User Management and click on the Groups.
- Click on the + New Group button.
- Add a group name (Eg: TEST_CREATOR_GROUP) and click on the Next button.
- Then click on the Finish button to create the group.
- Do the above steps to create 3 groups named TEST_CREATOR_GROUP, TEST_PUBLISHER_GROUP, TEST_SUBSCRIBER_GROUP
- Finally, we can see all the created groups under the Groups section as below.
Letβs create 3 users named creatoruser, publisheruser, and subscriberuser and assign the previously created groups.
creatoruser -> TEST_CREATOR_GROUP
publisheruser -> TEST_PUBLISHER_GROUP
subscriberuser -> TEST_SUBSCRIBER_GROUP
- Expand the User Management and select the Users option.
- Click on the + Add User button and select the Single User option.
- Then fill in all the details by providing the Username, Email, First Name, Last Name, and Password for the user profile.
Click on the Next button.
- Under the User Groups section, assign the appropriate group to the user. (Since I created the creatoruser profile, I will assign the TEST_CREATOR_GROUP to this profile)
- Then click on the Save & Continue button to create the user profile and assign the selected group to the user.
Do the same thing by creating the publisheruser and the subscriberuser profiles.
- Finally, we can see all 3 user profiles under the Users page as below.
Now we have completed the configuration at the Identity Server level. So, letβs move with the API Manager. πππ
Configure an IDP at the APIM 4.4.0 version
- Download the WSO2 API Manager 4.4.0 distribution through the official link [3].
- Start the API Manager server.
- Log into the carbon management console. (https://localhost:9443/carbon)
- Click on the Add button under the Identity Providers section on the left navigation menu.
- Provide a name for the Identity Provider. (Eg: WSO2_IS7)
Getting the groups claim (OIDC flow) and then doing the role mapping
In this step, we are going to map the groups claim to the role claim of the APIM and do the role mapping configurations. For that, we can follow the below steps.
- Expand the Claim Configuration and expand the Basic Claim Configuration section.
- Select Define Custom Claim Dialect under the Select Claim mapping Dialect field.
- Click on the Add Claim Mapping button to add a claim mapping row.
- Under the Identity Provider Claim URI column, add groups.
- Under the Local Claim URI, select http://wso2.org/claims/role claim.
- Under the Role Claim URI drop-down, select groups.
- Now expand the Role Configuration section.
- Click on the Add Role Mapping button to add a role mapping.
- Under the Identity Provider Role column, you need to provide the groups that we created at the Identity Server level (Eg: TEST_CREATOR_GROUP)
- Under the Local Role column, we need to point to the role that is on the API Manager side. (Eg: Internal/creator)
- Now expand the Federated Authenticators and expand the OAuth2/OpenID Connect Configuration section.
- Put a tick to the Enable OAuth2/OpenIDConnect option.
- For the Client ID and Client Secret fields, we need to put the consumer key and secret which was taken from the service provider in the WSO2 Identity Server side.
- For the rest of the fields, the values should be as below.
Authorization Endpoint URL: https://<IS_HOST>:<IS_PORT>/oauth2/authorize
Token Endpoint URL: https://<IS_HOST>:<IS_PORT>/oauth2/token
Callback Url: https://<APIM_HOST>:<APIM_PORT>/commonauth
Userinfo Endpoint URL: https://<IS_HOST>:<IS_PORT>/oauth2/userinfo?schema=openid
Logout Endpoint URL: https://<IS_HOST>:<IS_PORT>/oidc/logout
Scopes: openid
Now almost all the things are completed. π€ Letβs enable the JIT provisioning.
Enable the JIT provisioning
- Expand the Just-in-Time Provisioning section.
- Select Always provision to User Store Domain PRIMARY with the Provision silently option.
- Click on the Update button at the bottom of the page to save all the configurations.
Now we have completed the IDP configurations. Letβs assign this IDP to the devportal and publisher service providers.
Configure the IDP for the publisher and devportal service providers
- Click on the List under the Service Providers section.
- We can see the apim_devportal and apim_publisher service providers as below.
- Click on the Edit button of one of the service providers and then expand the Local & Outbound Authentication Configuration section.
- Select Federated Authentication option under the Authentication Type section and select the created IDP (WSO2_IS7)
- Put a tick to Assert identity using mapped local subject identifier option. Please note that this is a mandatory one to perform the role mapping properly.
- Then click on the Update button.
You can do the same steps for the apim_devportal service provider to enable the external IDP SSO authentication for the devportal.
FINAL STEP β Exchange certificates
For this, you need to shut down the API Manager server.
- Then go to the <IS_HOME>/repository/resources/security directory and execute the below keytool command to export the public certificate of the TLS keystore at the Identity Server level.
FORMAT
keytool -export -alias <ALIAS_NAME> -file PUB_CERT.crt -keystore <TLS_KEYSTORE> -storepass <STORE_PASSWORD> -noprompt
EXAMPLE
keytool -export -alias wso2carbon -file PUB_CERT.crt -keystore wso2carbon.jks -storepass wso2carbon -noprompt
- Then you can execute the below command by pointing to the truststore of the API Manager and the exported public certificate (PUB_CERT.crt)
FORMAT
keytool -import -trustcacerts -alias <ALIAS_NAME> -file PUB_CERT.crt -keystore <APIM_TRUSTSTORE> -storepass <TRUSTSTORE_PASSWORD> -noprompt
EXAMPLE
keytool -import -trustcacerts -alias IS_CERT -file PUB_CERT.crt -keystore client-truststore.jks -storepass wso2carbon -noprompt
- Finally, you can start the API Manager server.
TESTING PHASE
Now we have completed all the steps to configure the SSO by using the WSO2 Identity Server 7.0.0 version for publisher and devportal. Letβs test the behavior.
- Go to the devportal. (https://localhost:9443/devportal)
- Click on the SIGN-IN button at the top right corner.
- Now the login page of the Identity Server 7.0.0 should appear as below.
- Once we provide the correct credentials of the subscriberuser, the user will be logged into the portal and provision the profile to the API Manager side.
You can check the same login process of the publisher portal and you could able to see a similar kind of below page once the publisheruser or creatoruser logs into the system.
SO YEAH!!!, THE SOLUTION IS WORKING AS EXPECTED πππ
Congratulations!!! Now you have successfully configured the OIDC SSO flow for publisher and devportal with WSO2 Identity Server 7.0.0. πππ
Happy Provisioning with IS 7.0.0!!! πππ
[1] https://wso2.com/identity-server/