Federated Authentication for granting OAuth2 Access token with WSO2 API Manager (APIM)

WSO2 API Manager supports for both authorization code and implicit grant types. When Access tokens are granted using above grant types, end user must be authenticated to API manager (Actually Key manager) by providing their credentials. It means that end user must be in the user store that is connected to the API Manager (Key Manager). But there may be scenarios that end user may be in the some other IDP and user store can not be connected with APIM. As an example, end user may be in the cloud applications such as Salesforce, Google app and etc.

Therefore, let see how we can configure API Manager to achieve federated authentication for granting access tokens.

Please note :  WSO2 APIM is not shipped with some federated authenticators which are available in WSO2IS.  Therefore you need to install them using feature manager,  Please refer this for it.

Step 1. Login to API Manager (Or Key Manager ) management console

Step 2. Configure federated IDP.  As a sample, let assume that our federated IDP is another SAML2 SSO IDP which is Shibboleth.

If Shibboleth IDP, Please go through the configuration which is mentioned under step 2 in this blog

“Step 2. Register new Federated IDP”

Now you are done by configuring the Shibboleth as federated IDP. Please make sure to remember the unique name that you have given for the “Identity Provider Name” configurations which is “Shibboleth-IDP” because it would be needed in the next step.

Please note, same way you can configure different federated IDP, you can visit following blogs and configure them according to that.

Google
Salesforce
TestShib

OpenAM

Step 3. Attach federated IDP in to the default Service provider configuration.

WSO2 APIM  does not have the concept of Service Provider..  It has OAuth2 application.. But still, there is an default service provider configuration  which would be selected by default when there are no any defined service providers.  It means that APIM will have only one service provider which would be the default one.

Default service provider configuration can be found from /repository/conf/identity/service-providers/default.xml file. You can open it and edit with your configured IDPs.

Say, we want to provide end user to select both options for authentication, It means that authenticated with APIM user store and Shibboleth-IDP, we can configure the file as follows.

Please make sure,  your IDP name must be  “Shibboleth-IDP” as we have configured in previous step.

<IdentityProviderName>Shibboleth-IDP</IdentityProviderName>

Also,  we are integrating  Shibboleth as SAML2 SSO IDP, then federated authenticator must be  “SAMLSSOAuthenticator”

if we are integrating as OpenId-Connect IDP,  then federated authenticator must be “OpenIDConnectAuthenticator” 

if we are integrating as Passive STS IDP,  then federated authenticator must be “PassiveSTSAuthenticator” 

if we are integrating as OpenId IDP,  then federated authenticator must be “OpenIDAuthenticator” 

<Name>SAMLSSOAuthenticator</Name>
<ServiceProvider>
	<ApplicationID>1</ApplicationID>
	<ApplicationName>default</ApplicationName>
	<Description>Default Service Provider</Description>
	<InboundAuthenticationConfig>
		<InboundAuthenticationRequestConfigs>
			<InboundAuthenticationRequestConfig>
				<InboundAuthKey>default</InboundAuthKey>
				<InboundAuthType></InboundAuthType>
				<Properties></Properties>
			</InboundAuthenticationRequestConfig>
		</InboundAuthenticationRequestConfigs>
	</InboundAuthenticationConfig>
	<LocalAndOutBoundAuthenticationConfig>
		<AuthenticationSteps>
			<AuthenticationStep>
				<StepOrder>1</StepOrder>
				<LocalAuthenticatorConfigs>
					<LocalAuthenticatorConfig>
						<Name>BasicAuthenticator</Name>
						<DisplayName>basicauth</DisplayName>
						<IsEnabled>true</IsEnabled>
					</LocalAuthenticatorConfig>
				</LocalAuthenticatorConfigs>
				<FederatedIdentityProviders>
				 <IdentityProvider>
				       <IdentityProviderName>Shibboleth-IDP</IdentityProviderName>
				       <IsEnabled>true</IsEnabled>
                                     <DefaultAuthenticatorConfig>
                                             <FederatedAuthenticatorConfig>
                                                     <Name>SAMLSSOAuthenticator</Name>
                                                     <IsEnabled>true</IsEnabled>
                                             </FederatedAuthenticatorConfig>
                                     </DefaultAuthenticatorConfig>
				 </IdentityProvider>
				</FederatedIdentityProviders>
				<SubjectStep>true</SubjectStep>
				<AttributeStep>true</AttributeStep>
			</AuthenticationStep>
		</AuthenticationSteps>
	</LocalAndOutBoundAuthenticationConfig>
	<RequestPathAuthenticatorConfigs></RequestPathAuthenticatorConfigs>
	<InboundProvisioningConfig></InboundProvisioningConfig>
	<OutboundProvisioningConfig></OutboundProvisioningConfig>
	<ClaimConfig></ClaimConfig>
	<PermissionAndRoleConfig></PermissionAndRoleConfig>
</ServiceProvider>

Then login page would be promoted with both options.

apim-login
Say, we want only to provide the federated authentication with Shibboleth-IDP, Then configuration would be as follows. You can remove local authenticator configuration from the file.

<ServiceProvider>
	<ApplicationID>1</ApplicationID>
	<ApplicationName>default</ApplicationName>
	<Description>Default Service Provider</Description>
	<InboundAuthenticationConfig>
		<InboundAuthenticationRequestConfigs>
			<InboundAuthenticationRequestConfig>
				<InboundAuthKey>default</InboundAuthKey>
				<InboundAuthType></InboundAuthType>
				<Properties></Properties>
			</InboundAuthenticationRequestConfig>
		</InboundAuthenticationRequestConfigs>
	</InboundAuthenticationConfig>
	<LocalAndOutBoundAuthenticationConfig>
		<AuthenticationSteps>
			<AuthenticationStep>
				<StepOrder>1</StepOrder>
				<FederatedIdentityProviders>
				 <IdentityProvider>
				       <IdentityProviderName>Shibboleth-IDP</IdentityProviderName>
				       <IsEnabled>true</IsEnabled>
                                     <DefaultAuthenticatorConfig>
                                             <FederatedAuthenticatorConfig>
                                                     <Name>SAMLSSOAuthenticator</Name>
                                                     <IsEnabled>true</IsEnabled>
                                             </FederatedAuthenticatorConfig>
                                     </DefaultAuthenticatorConfig>
				 </IdentityProvider>
				</FederatedIdentityProviders>
				<SubjectStep>true</SubjectStep>
				<AttributeStep>true</AttributeStep>
			</AuthenticationStep>
		</AuthenticationSteps>
	</LocalAndOutBoundAuthenticationConfig>
	<RequestPathAuthenticatorConfigs></RequestPathAuthenticatorConfigs>
	<InboundProvisioningConfig></InboundProvisioningConfig>
	<OutboundProvisioningConfig></OutboundProvisioningConfig>
	<ClaimConfig></ClaimConfig>
	<PermissionAndRoleConfig></PermissionAndRoleConfig>
</ServiceProvider>

 

Then APIM login page would be skipped and redirected to the Shibboleth-IDP directly.

 

Step 4. Restart the server (Once you edit the default.xml  configuration file, you need to restart the server)

 

Step 5. Now you can try out. Just subscribe for new application using APIM store and try to grant an access token using code or implicit grant types.  You will be redirected to the your federated IDP

Thanks for reading…!!!

Discuss this article on Stack Overflow

Comments

  1. Hi, thank you for this article.

    Do you know if it’s possible to add alternative flows in addition to default one for some of applications?

  2. With new APIM (1.9.0). They have integrated the service providers with OAuth2 applications. Therefore, you can configure the federated authenticators for given application in APIM. There is a management console UI for it. It is same as in WSO2IS.

Leave a Reply

Your email address will not be published. Required fields are marked *