Skip to content

Configuring Identity Server 7.x as External IDP using OIDC

WSO2 API Manager uses the OIDC Single Sign-On feature by default. This document explains how to connect WSO2 Identity Server 7.x (or WSO2 Identity Server as a Key Manager) as a third party Identity provider to API-Manager.

Prerequisites

  • Download the API Manager distribution from https://wso2.com/api-manager/.

  • Download the Identity Server 7.x distribution from https://wso2.com/identity-server/.

    Tip

    For testing purposes if you want to run both the WSO2 API Manager and WSO2 Identity Server on the same server, go to the <IS_HOME>/repository/conf/deployment.toml file and offset the port by 1 as by adding following configuration:

    [server]
offset=1

  • Start the APIM server using the following command:

    api-manager.bat --run

    sh api-manager.sh

  • Start the IS server using the following command:

    wso2server.bat --run

    sh wso2server.sh

Configure the Identity Server 7.x

Step - 1 Configure the Service Provider

  1. Sign in to the Management Console of WSO2 IS by browsing the following URL: 

    https://{is-ip}:9444/console

  2. Create a Standard-Based application by navigating to the Applications section from the left panel.

  3. Edit the created Application:

    1. In the Protocol section do the following and update.

      • Enable code, client credential and password grant types.
      • Add https://localhost:9444/commonauth as the Authorized redirect URLs.
      • Add https://localhost:9444 as Allowed origins.
      • Make Access Token type as JWT.

    2. In the User Attributes section do the following and update.

      • Select Groups and Profile as requested attributes and Update.

      • Enable 'Assign alternatice subject identifier', select the Username as Subject attribute and Update.

Step - 2 Create groups and users

  1. Navigate to User Management → Groups → New Group and create a new group publisher_group without assigning users.

    Create User Group

  2. Navigate to User Management → Users → Add User and create a user new_publisher providing required details.

    Create User

  3. Assign publisher_group group to the new_publisher.

    Assign Group to User

Repeat the same steps to create a group for Api Users and assign users to it. Now the following users are created in Identity Server with the given groups.

User Group
new_publisher publisher_group
new_user user_group

Configure the API Manager

Step - 1 Configure the Identity Provider

  1. Sign in to the Management Console of API Manager by browsing the following URL: 

    https://{apim-ip}:9443/carbon

  2. Navigate to the Identity Providers section under Main → Identity and create a new Identity Provider.

    1. Expand the Federated Authenticators section and add the following configurations under OAuth2/OpenIDConnect Configuration:

      Enable OAuth2/OpenIDConnect True
      Client Id Client Id of the Service Provider created in Identity Server
      Client Secret Client Secret of the Service Provider created in Identity Server
      Authorization Endpoint URL https://is.wso2.com:9444/oauth2/authorize
      Token Endpoint URL https://is.wso2.com:9444/oauth2/token
      Callback Url https://apim.wso2.com:9443/commonauth
      Userinfo Endpoint URL https://is.wso2.com:9444/oauth2/userinfo
      Logout Endpoint URL https://is.wso2.com:9444/oidc/logout

      The following image shows the sample values for OAuth2/OpenIDConnect Configurations:

      sp

    2. Enable Just-in-Time Provisioning to provision the users in API Manager:

    3. Add the following role mapping under the Role Configuration section:

      Identity Server Group Roles Mapped in API Manager
      user_group Internal/Subscriber
      publisher_group Internal/publisher

      Tip

      Instead of using the default internal roles, you can also create new roles in API Manager and map it to the provisioned users.

    4. Add the following claim mapping under the Claim Configuration section.

      Identity Provider Claim URI Local Claim URI
      groups http://wso2.org/claims/role

      Also select groups as the Role Claim URI.

    Claim mapping for sso

Step - 2 Configure the Service Provider

  1. Navigate to Service Providers section and list the Service Providers. There are two service providers created for Publisher portal and Developer portal named as apim_publisher and apim_devportal. Edit the apim_publisher service provider.

    Attention

    You will have to log into the Developer Portal and Publisher at least once for the two service providers to appear as it is created during first login.

  2. Expand the Local & Outbound Authentication Configuration section and select Federated Authentication as Authentication Type and select the name of the Identity Provider you created in previous step and update.

  3. Repeat the same step for apim_devportal Service Provider as well.

Now you will be able to login to Publisher and Devportal using the users in WSO2 Identity Server.