[Federated Authentication] Integration OpenAM with WSO2IS using Openid-Connect

In my previous blog post, we went through how you can configure the SAML2 SSO web application with Identity Server. Users authenticate to Identity Server by proving username/password. These username/password must be authenticated with the enterprise user store that is deployed with Identity Server. Therefore; only the user who are in the enterprise user store can access the web application.

Assume, you have a new requirement that web application must be accessed by the users from some other partner organization. Partner organization has their employee’s user accounts in LDAP Server. Partner organization can not expose this LDAP server in to Enterprise Identity Server as a user store due to security reasons. But partner organization has OpenAM Identity Provider which has been connected with LDAP server. OpenAM supports SAML2 SSO/Openid-Connect and it authenticates user with LDAP server. Therefore users from partner organization who need to login to the web application can be redirected to OpenAM IDP and can be authenticated with their own LDAP Server. How we are going to achieve this?

With Identity Server, you can configure multiple Federated Identity Providers that users can be authenticated. In this use case, users from its own enterprise can be authenticated with enterprise user store and users from partner organization, can be authenticated with OpenAM IDP.

am20

 

Now let see how we can integrate OpenAM and WSO2IS using Openid-Connect.

Configure WSO2IS as OpenId-Connect Client Application in OpenAM

 

Step 1. Please find more details on Openid-Connect client application registration from here. You want to go through same steps. I would like to highlight some important steps using the screen shots.

 

You can provide the name and password which are the OAuth2 client id and client secret.

am4

Configure scope value to be “openid”

am11

Configure the call back url for your WSO2IS, this must be following value.

https://{HOST_NAME}:{PORT}/commonauth

am10

 

Configure OpenAM as Federated OpenId-Connect IDP

 

Step 1. Login to WSO2IS management console

Step 2. Register new Federated IDP

You need provide a name for IDP configuration. Say “OpenAM-IDP”

am21

 

Go to “OAuth2/OpenID Connect Configuration” and Register following details.

am9

1. Enable / Default – You can enable and set as default

2. Authorization Endpoint URL – http://localhost:8080/OpenAM-12.0.0/oauth2/authorize

3. Token Endpoint URL – http://localhost:8080/OpenAM-12.0.0/oauth2/access_token

4. Client Id – WSO2IS (Value that is provided by us when registering in OpenAM)

5. Client Secret – (Value that is provided by us when registering in OpenAM)

6. Additional Query Parameters – scope=openid (This is not required. By default, WSO2IS sends the openid scope)

 

Step 3. Configure OpenAM-IDP as Federated IDP for our Web application.

There are two ways that you can attach the OpenAM-IDP as Federated IDP.

One way is, just configure it as a federated authentication IDP for web application. Then, once user tries to access the web application, user would be redirect OpenAM-IDP login page via the identity Server. In here, only the users who can be authenticated via OpenAM-IDP, can login to web application.

am22

Or less, you can configure using Advance Configuration. Here we configure one step that contains two option of authentication. One is basic authentication that allows to authenticate users from enterprise user store. Other one is OpenAM-IDP. Once you configure like this, users who are accessing to web application would be promoted a IDP login page with both options. Therefore users from OpenAM-IDP and enterprise user store can login to web application.

am23

 

Try out

 

Lets try to login to web application. If you have configured using Advance Configuration, you would see following login page in the Identity Server.

am24
When you click on OpenAM-IDP, you would be redirected to OpenAM login and user consent pages.

am25

am26

By default, WSO2IS extracts the username from id_token  (“sub” attribute) and sends it back to the Web application using SAML2 SSO

 

am27
Thanks for reading…!!!

Discuss this article on Stack Overflow

Comments

  1. Can or does the access token created by the federated OpenIdConnect IDP get sent back to the application? If so, how is this done?

    1. What it is needed? It is not possible by default. OpenAM is only used for authentication. It is not used as OAuth2 authorization server here. Could you please clarify the requirement.

  2. The user authenticating on OpenAM must exist on WSO2 Identity Server, too?

    We have this scenario WOS2 Enterprise Store configured with WSO2 Identity Server for SSO then WSO2 Identity Server federates authentication to OpenAM as you showed in this tutorial. There is no user in any of the WSO2 products, only in OpenAM. Authentication works ok, but when WSO2IS redirects back to WSO2ES, we get “WARN {JAGGERY.controllers.acs:jag} – User user_from_OpenAM does not have permission to access the store application.Make sure the user has the store role.” So practically we are not able to assign a role (Internal/store) to the user so he can access the store. We tried Just-In-Time Provisioning in WSO2IS, but the user is created with role Internal/everyone and again we are not able to provision it with the wanted role by mapping a certain attribute to a role on the WSO2 Identity Server.

Leave a Reply

Your email address will not be published. Required fields are marked *