WSO2 Identity Server-7.0.0 as the Identity Provider for your WSO2 API Manager-4.3.0 portals

Ramindu De Silva
5 min readOct 25, 2024

--

In this article, I will b using the latest WSO2 API Manager (apim) 4.3.0 and WSO2 Identity Server (is) 7.0.0 to configure WSO2 IS as the external IDP for SSO in apim portals and also ways to configure to be used as a Key Manager (km). This is mainly because the IS-7.0 provides a drastic UI upgrade from IS-6.x.x versions.

Configuring Identity Server as External IDP using OIDC for SSO

Export the certificate of the Identity server from wso2is-7.0.0/repository/resources/security/wso2carbon.jk sand import to the API Manager in wso2am-4.3.0/repository/resources/security/client-truststore.jks

Create port offset for the API Manager with port offset = 1 and IS with port offset = 2 since we are running the two servers in the same machine. The configuration can be found under server configuration in respective <product_home>/repository/conf/deployment.toml files, under [server] configuration.

[server]
hostname = "localhost"
offset=1

Configuring the IS server

Start the server using <product_home>/bin/wso2server.sh and navigate to https://localhost:9445/console

First create an standard application by navigating to the left panel in the console.

In the Protocol section do the following and update.

In the User Attributes section do the following and update

  • Select Groups and Profile as requested attributes and Update
  • Since the Groups are already a OIDC scope in the user attribute section there is no need to add as a additional scope as done in IS-6.x.x
  • After updating scroll the same page down to Subject and select the Usernameand Update. The additional attributes will only get listed after we select the requested attributes list in the previous step.

Create Groups

Then we need to create the Groups which will be checked when providing access to the relevant portals. In here, lets just create the Groups and Finish the wizard without selecting any users or roles

  • create publisher, developer, creatorand user groups

Create few users

Create users and add the users to the above groups while creating as follows.

Note: A user needs to have both creator and publisher role to create an API and Publish the API. Hence creator group is added to the user john_pub as well.

Test the application with Authentication Code Grant and check all necessary information is available in the token

By navigating to the application section, and going to the info section, its possible to find all the necessary information.

And in the postman, you could add a request and do the configurations and click on “Get New Access Token” . Note the scopes which are requesting as well.

This will direct you to the IS authentication endpoint which you need to provide username and password.

After successful login which will be able to see as the below screen

The token can be copied from the following screen.

Navigate to https://jwt.io/ and once you check the token content, you could see the information which includes the group that the user is in.

Configuring the APIM server

Please refer to documentation at link to configure the external IDP. And configure the service providers for the relevant developer and publisher portals using link.

Since groups were added as developer and publisher, the role configuration in the IDP configuration will be changed as follows.

Login in to the portals

Once you configure the portals, try accessing the publisher portal using https://localhost:9444/publisher, and you will be able to see you are navigating to the identity server for authentication.

And once you provide correct credentials, you will be redirected to the dev or publisher portal and you could see the logged in user as well.

Hope this article provides you some insights on how to configure APIM with the IS-7.0 since its provide a drastic UI upgrade from IS-6.x.x versions.

--

--

No responses yet