Configuring External IDP through Identity Server for SSO

Note

Please follow Configuring Identity Server as IDP for SSO to configure WSO2 Identity Server. This guide will assume you have already followed the above tutorial and configured the Identity Server as IDP for SSO.

Info

When configuring SSO for the API Manager Developer Portal and Publisher via an external IDP in a distributed setup, you need to update the Developer Portal and Publisher nodes with the following configuration by pointing the Key Manager endpoints.

[apim.idp]
server_url = "https://<KM_HOSTNAME>"
authorize_endpoint = "https://<KM_HOSTNAME>:<PORT>/oauth2/authorize"
oidc_logout_endpoint = "https:/<KM_HOSTNAME>:<PORT>/oidc/logout"
oidc_check_session_endpoint = "https://<KM_HOSTNAME>:<PORT>/oidc/checksession"
  1. Add a new Identity Provider in WSO2 Identity Server. For more details on configuring external IDPs in WSO2 IS, see Adding and Configuring an Identity Provider .

    • Identity Provider Name: ExternalIS
    • Do the following changes under Federated Authenticators > SAML2 Web SSO Configurations
      • Enable SAML2 Web SSO
      • Check Default
      • Set Service Provider Entity ID
      • Set SSO URL for the external IDP (e.g., https://localhost:9453/samlsso)
      • Enable Logout
  2. Enable Just-In-Time Provisioning for the external IDP. For more information, see Configuring Just-In-Time Provisioning for an Identity Provider .

  3. Map the external IDP roles to the roles configured in API Manager. For more information on mapping roles, see Configuring Roles for an Identity Provider . role-config

  4. Open the management console, and click Edit under Service Providers.

  5. Under Local & Outbound Authentication Configuration select Federated Authentication . Select the newly created external IDP. local-inbound-auth

  6. Add http://wso2.org/claims/role as the Claim URI under Claim Configuration. Select the Mandatory Claim check box. Add http:/wso2.org/claims/username as the Subject Claim URI. claim-config

Tip

Additionally, you might need to configure claims to map them to the available claims in WSO2 Identity Server. For more details, see Configuring Claims for an Identity Provider .

Top