Configuring Identity Server as External IDP using OIDC¶
WSO2 API Manager uses the OIDC Single Sign-On feature by default. This document explains how to connect WSO2 Identity Server (or WSO2 Identity Server as a Keymanager) as a third party Identity provider to API-Manager.
- Download the API Manager distribution from https://wso2.com/api-management/.
Download the Identity Server distirbution from https://wso2.com/identity-and-access-management/.
For testing purposes if you want to run both the WSO2 API Manager and WSO2 Identity Server on the same server, go to the
<IS_HOME>/repository/conf/deployment.tomlfile and offset the port by 1 as by adding following configuration:
Start the servers using the following commands:
Configure the Identity Server¶
Step - 1 Configure the Service Provider¶
Sign in to the Management Console of WSO2 IS by browsing the following URL:
Navigate to the Service Providers section under Main → Identity and create new Service Provider.
Edit the created Service Provider:
Expand the Claim Configuration section. Add http://wso2.org/claims/role as mandatory claim.
Expand the Inbound Authentication Configuration secition and configure OAuth/OpenID Connect Configuration with callback URL -
Update the Service Provider configurations.
In Mutl-tenanted environments
Carry out the instruction given below for all the tenants to be able to login to the API-M Web applications in a multi-tenanted environment.
- Click the SaaS Application option that appears after registering the service provider.
If you do not select the SaaS Application option, only users in the current tenant domain will be allowed to login to the portals. You will need to register separate service providers for portals from each tenant.
Step - 2 Create users and roles¶
Create the required users and roles in Identity Server. Assume, following users are created in Identity Servers with the given roles.
User Role api_publisher publisher_role api_user user_role
Configure the API Manager¶
Step - 1 Configure the Identity Provider¶
Sign in to the Management Console of API Manager by browsing the following URL:
Navigate to the Identity Providers section under Main → Identity and create a new Identity Provider.
Expand the Federated Authenticators section and add the following configurations under OAuth2/OpenIDConnect Configuration:
Enable OAuth2/OpenIDConnect True Client Id Client Id of the Service Provider created in Identity Server Client Secret Client Secret of the Service Provider created in Identity Server Authorization Endpoint URL https://is.wso2.com:9444/oauth2/authorize Token Endpoint URL https://is.wso2.com:9444/oauth2/token Callback Url https://apim.wso2.com:9443/commonauth Userinfo Endpoint URL https://is.wso2.com:9444/oauth2/userinfo Logout Endpoint URL https://is.wso2.com:9444/oidc/logout
The following image shows the sample values for OAuth2/OpenIDConnect Configurations:
Enable Just-in-Time Provisioning to provision the users in API Manager:
Add the following role mapping under the Role Configuration section:
Identity Server Roles Roles Mapped in API Manager user_role Internal/Subscriber publisher_role Internal/publisher
Instead of using the default internal roles, you can also create new roles in API Manager and map it to the provisioned users.
Step - 2 Configure the Service Provider¶
Navigate to Service Providers section and list the Service Providers. There are two service providers created for Publisher portal and Developer portal named as
apim_devportal. Edit the
You will have to log into the Developer Portal and Publisher at least once for the two service providers to appear as it is created during first login.
Expand the Local & Outbound Authentication Configuration section and select Federated Authentication as Authentication Type and select the name of the Identity Provider you created in previous step and update.
Repeat the same step for
apim_devportalService Provider as well.
Now you will be able to login to Publisher and Devportal using the users in WSO2 Identity Server.
When using Identity Server as external IdP, following error can be observed in API Manager, when logging in to Portals.
invalid_request, The client MUST NOT use more than one authentication method in each
This is because the MutualTLS authenticator is enabled by default in the Identity Server, from version 5.8.0 onwards. Since the OIDC specification does not allow to use more than one authentication, the login fails with the above error. To resolve this issue, add following the configuration in the
deployment.toml file in the
<IS-Home>/repository/conf directory to disable the MutualTLS authenticator in the Identity Server.
[[event_listener]] id = "mutual_tls_authenticator" type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" name = "org.wso2.carbon.identity.oauth2.token.handler.clientauth.mutualtls.MutualTLSClientAuthenticator" order = "158" enable = false