WSO2 API Manager Portal OIDC SSO with WSO2 Identity Server 7.0.0

Sumudu Sahan Weerasuriya
10 min readDec 16, 2024

--

Hello Geeks!!! 😊😊😊

Today, I’ll explain how to configure the SSO for the publisher and devportal by using the WSO2 Identity Server 7.0.0 version.

As you know, WSO2 API Manager is the world’s leading open-source, enterprise-grade API management platform for on-premises, cloud, and hybrid architectures.

The WSO2 API Manager 4.x.x versions support the SSO integrations with external identity providers to authenticate the user from that external IDP and gain access to the API Manager portals.

Let’s understand the use case that we are trying to achieve today. πŸ˜‡πŸ˜‡πŸ˜‡

Let’s assume that you have deployed the WSO2 API Manager 4.x.x version. Now you need to integrate the WSO2 Identity Server 7.0.0 version with the API Manager for the SSO authentication purpose when logging to the publisher portal and devportal.

So, how we can achieve this? πŸ€”πŸ€”πŸ€”

OK. Let’s do it like a BOSS 😎😎😎

Below are the steps that we need to complete to achieve this. For this use case, I’ll take the WSO2 API Manager 4.4.0 version and the WSO2 Identity Server 7.0.0 version. (You can use any APIM 4.x.x version for this)

  1. Configure an SP at the IS 7.0.0 level
  2. Configure an IDP at the APIM 4.4.0 version
  3. Getting the groups claim (OIDC flow) and then doing the role mapping
  4. Enable the JIT provisioning
  5. Configure the IDP for the publisher and devportal service providers
  6. Exchange public certificates

Configure an SP at the IS 7.0.0 level

  • Download the WSO2 Identity Server 7.0.0 distribution through the official link [1].

Also if you have a valid WSO2 subscription, then you can download the latest updates to the product by using the update 2.0 channel. For more information, please refer to the documentation [2]

  • Open the deployment.toml file under the <IS_HOME>/repository/conf directory.
  • Add the offset value to run the IS server in a different port (Because we are going to run both the IS and the APIM server on the same machine)
[server]
hostname = "localhost"
node_ip = "127.0.0.1"
offset=1
base_path = "https://$ref{server.hostname}:${carbon.management.port}"

In this case, the Identity Server will offset all the ports by 1 and hence, the management console port should be 9444.

  • Save the file and start the Identity Server.
  • Log into the new carbon console. (https://localhost:9444/console)
New console β€” WSO2 Identity Server 7.0.0
  • Select Applications on the left navigation menu.
  • Select + New Application button.
  • On the next page, select Traditional Web Application.
  • On the next page, give the below values for fields.
Name: IS7OIDCSSO
Protocol: OpenID Connect
Authorized redirect URLs: https://localhost:9443/commonauth
Traditional Web Application Configurations β€” WSO2 Identity Server 7.0.0
  • Then click on the Create button to create the service provider.

Once we created the application, we can see the General page of the application as below.

Overview of the created SP β€” WSO2 Identity Server 7.0.0
  • After creating the application, select the User Attributes tab of the application and select the Groups claim under the User Attribute Selection section.
User attributes of the service provider β€” WSO2 Identity Server 7.0.0
  • Under the Subject section, select the Assign alternate subject identifier option and select the Username claim from the dropdown. (This claim will use to create the username when performing the JIT provision at the API Manager level)
Subject claim altering β€” WSO2 Identity Server 7.0.0
  • After this, we can click on the Update button at the bottom of the page.
  • Now go to the Protocol tab of the application and get the Client ID and the Client Secret values. These are required when creating the Identity Provider (IDP) at the API Manager level. πŸ™‚πŸ™‚πŸ™‚
Consumer key and secret details β€” WSO2 Identity Server 7.0.0

After the above steps, we need to add the groups claims to the OpenID scopes to send the groups of the user to the API Manager side for the JIT provisioning process based on the user’s claims. For that, we can follow the below steps.

  • Expand the User Attributes and Stores section on the left navigation menu and click on the Attributes option.
  • On the next page, select OpenID Connect under the Manage Attribute Mappings section.
  • After this, we can see a page similar to the below one.
OIDC claim dialects β€” WSO2 Identity Server 7.0.0
  • Now click on the Scopes button at the top of the page.
  • On the next page, click on the Open ID option under the OpenID Connect Scopes section.
Scopes of the OpenID Connect β€” WSO2 Identity Server 7.0.0

On the next screen, we can see a page similar to the below one.

Manage Attributes β€” WSO2 Identity Server 7.0.0
  • Click on the + New Attribute button under the Manage Attributes section.
  • Then search the Groups attribute and add it.
Groups attribute got added β€” WSO2 Identity Server 7.0.0
  • Finally, click on the Save Changes button.

Now we have almost completed the configurations at the Identity Server level. Finally, let’s create some user profiles and groups. In this case, we are not going to use roles and we are using only groups when comes to the WSO2 Identity Server 7.0.0 version because the groups and roles separation is there. Hence, the user will not get the roles through the groups.

Since we are going to configure the SSO with the WSO2 Identity Server 7.0.0 version for both the publisher portal and the devportal in the API Manager, we are going to create 3 groups as below.

TEST_CREATOR_GROUP
TEST_PUBLISHER_GROUP
TEST_SUBSCRIBER_GROUP

Right, So let’s move with the final steps at the Identity Server level.πŸ€“πŸ€“πŸ€“

  • In the carbon console of the Identity Server, expand the User Management and click on the Groups.
  • Click on the + New Group button.
  • Add a group name (Eg: TEST_CREATOR_GROUP) and click on the Next button.
Create a group β€” WSO2 Identity Server 7.0.0
  • Then click on the Finish button to create the group.
  • Do the above steps to create 3 groups named TEST_CREATOR_GROUP, TEST_PUBLISHER_GROUP, TEST_SUBSCRIBER_GROUP
  • Finally, we can see all the created groups under the Groups section as below.
Group List β€” WSO2 Identity Server 7.0.0

Let’s create 3 users named creatoruser, publisheruser, and subscriberuser and assign the previously created groups.

creatoruser -> TEST_CREATOR_GROUP
publisheruser -> TEST_PUBLISHER_GROUP
subscriberuser -> TEST_SUBSCRIBER_GROUP
  • Expand the User Management and select the Users option.
  • Click on the + Add User button and select the Single User option.
  • Then fill in all the details by providing the Username, Email, First Name, Last Name, and Password for the user profile.
Create a user β€” WSO2 Identity Server 7.0.0

Click on the Next button.

  • Under the User Groups section, assign the appropriate group to the user. (Since I created the creatoruser profile, I will assign the TEST_CREATOR_GROUP to this profile)
Assign a group β€” WSO2 Identity Server 7.0.0
  • Then click on the Save & Continue button to create the user profile and assign the selected group to the user.

Do the same thing by creating the publisheruser and the subscriberuser profiles.

  • Finally, we can see all 3 user profiles under the Users page as below.
User List β€” WSO2 Identity Server 7.0.0

Now we have completed the configuration at the Identity Server level. So, let’s move with the API Manager. 😁😁😁

Configure an IDP at the APIM 4.4.0 version

  • Download the WSO2 API Manager 4.4.0 distribution through the official link [3].
  • Start the API Manager server.
  • Log into the carbon management console. (https://localhost:9443/carbon)
  • Click on the Add button under the Identity Providers section on the left navigation menu.
  • Provide a name for the Identity Provider. (Eg: WSO2_IS7)

Getting the groups claim (OIDC flow) and then doing the role mapping

In this step, we are going to map the groups claim to the role claim of the APIM and do the role mapping configurations. For that, we can follow the below steps.

  • Expand the Claim Configuration and expand the Basic Claim Configuration section.
  • Select Define Custom Claim Dialect under the Select Claim mapping Dialect field.
  • Click on the Add Claim Mapping button to add a claim mapping row.
  • Under the Identity Provider Claim URI column, add groups.
  • Under the Local Claim URI, select http://wso2.org/claims/role claim.
  • Under the Role Claim URI drop-down, select groups.
Claim Configurations β€” WSO2 API Manager 4.4.0
  • Now expand the Role Configuration section.
  • Click on the Add Role Mapping button to add a role mapping.
  • Under the Identity Provider Role column, you need to provide the groups that we created at the Identity Server level (Eg: TEST_CREATOR_GROUP)
  • Under the Local Role column, we need to point to the role that is on the API Manager side. (Eg: Internal/creator)
Role Configurations β€” WSO2 API Manager 4.4.0
  • Now expand the Federated Authenticators and expand the OAuth2/OpenID Connect Configuration section.
  • Put a tick to the Enable OAuth2/OpenIDConnect option.
  • For the Client ID and Client Secret fields, we need to put the consumer key and secret which was taken from the service provider in the WSO2 Identity Server side.
  • For the rest of the fields, the values should be as below.
Authorization Endpoint URL: https://<IS_HOST>:<IS_PORT>/oauth2/authorize
Token Endpoint URL: https://<IS_HOST>:<IS_PORT>/oauth2/token
Callback Url: https://<APIM_HOST>:<APIM_PORT>/commonauth
Userinfo Endpoint URL: https://<IS_HOST>:<IS_PORT>/oauth2/userinfo?schema=openid
Logout Endpoint URL: https://<IS_HOST>:<IS_PORT>/oidc/logout
Scopes: openid
OIDC configurations β€” WSO2 API Manager 4.4.0

Now almost all the things are completed. πŸ€“ Let’s enable the JIT provisioning.

Enable the JIT provisioning

  • Expand the Just-in-Time Provisioning section.
  • Select Always provision to User Store Domain PRIMARY with the Provision silently option.
Just-in-Time provisioning β€” WSO2 API Manager 4.4.0
  • Click on the Update button at the bottom of the page to save all the configurations.

Now we have completed the IDP configurations. Let’s assign this IDP to the devportal and publisher service providers.

Configure the IDP for the publisher and devportal service providers

  • Click on the List under the Service Providers section.
  • We can see the apim_devportal and apim_publisher service providers as below.
Service Providers β€” WSO2 API Manager 4.4.0
  • Click on the Edit button of one of the service providers and then expand the Local & Outbound Authentication Configuration section.
  • Select Federated Authentication option under the Authentication Type section and select the created IDP (WSO2_IS7)
  • Put a tick to Assert identity using mapped local subject identifier option. Please note that this is a mandatory one to perform the role mapping properly.
Local and Outbout Authentication Configuration β€” WSO2 API Manager 4.4.0
  • Then click on the Update button.

You can do the same steps for the apim_devportal service provider to enable the external IDP SSO authentication for the devportal.

FINAL STEP β€” Exchange certificates

For this, you need to shut down the API Manager server.

  • Then go to the <IS_HOME>/repository/resources/security directory and execute the below keytool command to export the public certificate of the TLS keystore at the Identity Server level.
FORMAT
keytool -export -alias <ALIAS_NAME> -file PUB_CERT.crt -keystore <TLS_KEYSTORE> -storepass <STORE_PASSWORD> -noprompt
EXAMPLE
keytool -export -alias wso2carbon -file PUB_CERT.crt -keystore wso2carbon.jks -storepass wso2carbon -noprompt
  • Then you can execute the below command by pointing to the truststore of the API Manager and the exported public certificate (PUB_CERT.crt)
FORMAT
keytool -import -trustcacerts -alias <ALIAS_NAME> -file PUB_CERT.crt -keystore <APIM_TRUSTSTORE> -storepass <TRUSTSTORE_PASSWORD> -noprompt
EXAMPLE
keytool -import -trustcacerts -alias IS_CERT -file PUB_CERT.crt -keystore client-truststore.jks -storepass wso2carbon -noprompt
  • Finally, you can start the API Manager server.

TESTING PHASE

Now we have completed all the steps to configure the SSO by using the WSO2 Identity Server 7.0.0 version for publisher and devportal. Let’s test the behavior.

  • Go to the devportal. (https://localhost:9443/devportal)
Devportal β€” WSO2 API Manager 4.4.0
  • Click on the SIGN-IN button at the top right corner.
  • Now the login page of the Identity Server 7.0.0 should appear as below.
SSO login page β€” WSO2 Identity Server 7.0.0
  • Once we provide the correct credentials of the subscriberuser, the user will be logged into the portal and provision the profile to the API Manager side.
After logged into the devportal β€” WSO2 API Manager 4.4.0
Provisioned user profile β€” WSO2 API Manager 4.4.0
Provisioned user profile with mapped roles β€” WSO2 API Manager 4.4.0

You can check the same login process of the publisher portal and you could able to see a similar kind of below page once the publisheruser or creatoruser logs into the system.

Publisher portal β€” WSO2 API Manager 4.4.0

SO YEAH!!!, THE SOLUTION IS WORKING AS EXPECTED 😎😎😎

Congratulations!!! Now you have successfully configured the OIDC SSO flow for publisher and devportal with WSO2 Identity Server 7.0.0. 😎😎😎

Happy Provisioning with IS 7.0.0!!! 😁😁😁

[1] https://wso2.com/identity-server/

[2] https://updates.docs.wso2.com/en/latest/

[3] https://wso2.com/api-manager/#

--

--

Sumudu Sahan Weerasuriya
Sumudu Sahan Weerasuriya

Written by Sumudu Sahan Weerasuriya

Associate Technical Lead @ WSO2 | 2nd Runner-Up of WSO2 Certified Employee of the Year β€” 2021 | 10X WSO2 Certified | BIT(UCSC) | DiHN | OCPJP

No responses yet