Configuring Identity Server as External IDP using SAML¶
The Single Sign-On with the SAML 2.0 feature in WSO2 API Manager is implemented according to the SAML 2.0 browser-based SSO support facilitated by WSO2 Identity Server(WSO2 IS). This feature is available in all WSO2 IS packs from 4.1.0 onwards. The version used in this guide is WSO2 IS 5.10.0.
WSO2 Identity Server acts as an identity service provider of systems enabled with single sign-on, while the Web applications act as SSO service providers. Using this feature, you can configure SSO with SAML 2.0 across the API Publisher and Developer Portal. After configuring, you can access the Developer Portal or the API Publisher with a single authentication attempt.
Pre-requisites¶
-
Download the API Manager distribution from https://wso2.com/api-management/.
-
Download the Identity Server distirbution from https://wso2.com/identity-and-access-management/.
Info
To use WSO2 IS as the Key Manager, download the WSO2 Identity Server 5.10.0 as a Key Manager pack, with pre-packaged Key Manager features. The instructions are given below:
- Access the previous WSO2 API Manager related releases.
- Select version 3.1.0.
- Click on the Identity Server as a Key Manager download option.
Tip
For testing purposes, if you want to run both the WSO2 API Manager and WSO2 IS server on the same server, go to the
<IS-Home>/repository/conf/deployment.toml
file and offset the port by 1 to Identity Server, by adding following configuration:[server] offset=1
-
Start the servers using the following commands:
wso2server.bat --run
sh wso2server.sh
Configure the Identity Server¶
Step - 1 Configure the Service Provider¶
-
Login to the Management Console of the Identity server by accessing the following URL:
https://{is-ip}:9444/carbon
-
Navigate to the Service Providers section under Main → Identity and create new Service Provider.
-
Edit the created Service Provider:
-
Expand the Inbound Authentication Configuration secition and configure SAML2 Web SSO Configuration by providing the following information:
Issuer Specify the Issuer Assertion Consumer URLs https://{apim-ip}:9443/commonauth
Response Signing Algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
Enable Response Signing true Enable Signature Validation in Authentication Requests and Logout Requests true Enable Single Logout true Enable Attribute Profile true Include Attributes in the Response Always true Following image shows the sample values for SAML2 Web SSO Configuration:
-
Expand the Claim Configuration section. Add http://wso2.org/claims/role as mandatory claim.
-
Update the Service Provider configurations.
In Multi-tenanted environments
Carry out the instruction given below for all the tenants to be able to login to the API-M Web applications in a multi-tenanted environment.
- Click the SaaS Application option that appears after registering the service provider.
If you do not select the SaaS Application option, only users in the current tenant domain will be allowed to login to the portals. You will need to register separate service providers for portals from each tenant.
-
Upload the public certificate of the API Manager by selecting Select SP Certificate Type.
-
Step - 2 Create users and roles¶
-
Create the required users and roles in Identity Server. Assume that the following users are created in Identity Servers with the given roles.
User Role api_publisher publisher_role api_user user_role
Configure the API Manager¶
Step - 1 Configure the Identity Provider¶
-
Login to the Management Console of API Manager by browsing the following URL:
https://{apim-ip}:9443/carbon
-
Navigate to the Identity Providers section under Main → Identity and create new Identity Provider.
-
Upload the public certificate of Identity Server under Upload IDP certificate.
-
Expand the Federated Authenticators section and add following configurations under SAML2 Web SSO Configurations:
Enable SAML2 Web SSO true Service Provider Entity ID It depends on the Issuer value defined in the Service Provider configured in Identity Server above Identity Provider Entity ID localhost SSO URL https://{is-ip}:9444/samlsso Signature Algorithm RSA with SHA256 Single Logout profile true Enable Authentication Request Signing true Enable Authentication Response Signing true Enable Logout Request Signing true Following image shows the sample values for SAML2 Web SSO Configurations:
Note
Make sure your service provider configurations in the Identity Server and the identity provider configurations in API Manager are similarly reflected to each other.
Example:
- If the Response Signing Algorithm in Identity Server is rsa-sha256, then the Signature Algorithm in API Manager should be RSA with SHA256.
- If you have enabled Enable Single Logout in the Service Provider created in the Identity Server, then you have to enable Single Logout Profile in the Identity Provider created in API Manager.
-
Enable Just-in-Time Provisioning to provision the users in API Manager.
-
Add the following role mapping under Role Configuration section:
Identity Server Roles Roles Mapped in API Manager user_role Internal/Subscriber publisher_role Internal/publisher Tip
Instead of using the default internal roles, you can also create new roles in API Manager and map it to the provisioned users.
Step - 2 Configure the Service Provider¶
-
Navigate to the Service Providers section and list the Service Providers. There are two service providers created for Publisher portal and Developer portal named as
apim_publisher
andapim_devportal
. Edit theapim_publisher
service provider.Attention
The service providers are created during the first login. Therefore, you will have to log into the Developer Portal and Publisher at least once for the two service providers to appear.
-
Expand the Local & Outbound Authentication Configuration section and select Federated Authentication as the Authentication Type and select the name of the Identity Provider you created. Update the configurations with your selection.
Check Assert identity using mapped local subject identifier option. Note that it is mandatory to enable this option to authorize scopes for provisioned federated users.
-
Repeat the same step for the apim_devportal Service Provider as well.
Now you will be able to login to Publisher and Devportal using the users in WSO2 Identity Server.
Info
To learn more about Single Sign-On with WSO2 Identity Server, see SAML 2.0 Web SSO in the WSO2 Identity Server documentation.
-