WSO2 Identity Server-7.0.0 as the Identity Provider for your WSO2 API Manager-4.3.0 portals
In this article, I will b using the latest WSO2 API Manager (apim) 4.3.0 and WSO2 Identity Server (is) 7.0.0 to configure WSO2 IS as the external IDP for SSO in apim portals and also ways to configure to be used as a Key Manager (km). This is mainly because the IS-7.0 provides a drastic UI upgrade from IS-6.x.x versions.
Configuring Identity Server as External IDP using OIDC for SSO
Export the certificate of the Identity server from wso2is-7.0.0/repository/resources/security/wso2carbon.jk
sand import to the API Manager in wso2am-4.3.0/repository/resources/security/client-truststore.jks
Create port offset for the API Manager with port offset = 1 and IS with port offset = 2 since we are running the two servers in the same machine. The configuration can be found under server configuration in respective <product_home>/repository/conf/deployment.toml
files, under [server]
configuration.
[server]
hostname = "localhost"
offset=1
Configuring the IS server
Start the server using <product_home>/bin/wso2server.sh
and navigate to https://localhost:9445/console
First create an standard application by navigating to the left panel in the console.
In the Protocol section do the following and update.
- Enable
code, client credential
andpassword
grant types - Add https://localhost:9444/commonauth as the
Authorized redirect URLs
- Add https://localhost:9444 as
Allowed origins
- Make
Access Token type
as JWT
In the User Attributes section do the following and update
- Select
Groups
andProfile
as requested attributes and Update - Since the
Groups
are already a OIDC scope in the user attribute section there is no need to add as a additional scope as done in IS-6.x.x
- After updating scroll the same page down to
Subject
and select theUsername
and Update. The additional attributes will only get listed after we select the requested attributes list in the previous step.
Create Groups
Then we need to create the Groups
which will be checked when providing access to the relevant portals. In here, lets just create the Groups and Finish the wizard without selecting any users or roles
- create
publisher
,developer, creator
anduser
groups
Create few users
Create users and add the users to the above groups while creating as follows.
Note: A user needs to have both creator and publisher role to create an API and Publish the API. Hence
creator
group is added to the userjohn_pub
as well.
Test the application with Authentication Code Grant and check all necessary information is available in the token
By navigating to the application section, and going to the info
section, its possible to find all the necessary information.
And in the postman, you could add a request and do the configurations and click on “Get New Access Token
” . Note the scopes which are requesting as well.
This will direct you to the IS authentication endpoint which you need to provide username and password.
After successful login which will be able to see as the below screen
The token can be copied from the following screen.
Navigate to https://jwt.io/ and once you check the token content, you could see the information which includes the group that the user is in.
Configuring the APIM server
Please refer to documentation at link to configure the external IDP. And configure the service providers for the relevant developer and publisher portals using link.
Since groups were added as developer and publisher, the role configuration in the IDP configuration will be changed as follows.
Login in to the portals
Once you configure the portals, try accessing the publisher portal using https://localhost:9444/publisher,
and you will be able to see you are navigating to the identity server for authentication.
And once you provide correct credentials, you will be redirected to the dev or publisher portal and you could see the logged in user as well.
Hope this article provides you some insights on how to configure APIM with the IS-7.0 since its provide a drastic UI upgrade from IS-6.x.x versions.