[Federated Authentication] OpenID-Connect IDP with WSO2 Identity Server

In my previous blog post , we went through how you can configure the SAML2 SSO and OpenId Connect web application with Identity Server. You can find more detail on configuring SAML2 SSO web application from here. You can find more details on configuring OpenId Connect web application from here.

In both case, Users are authenticated to Identity Server by proving username/password. These username/password must be verified with the enterprise user store that identity server has been deployed. Therefore only the user who are in the enterprise user store can access the web application.

Assume, you have a new requirement that web application must be accessed by the users from some other partner organization. Partner organization has their employee’s user accounts in LDAP Server. Partner organization can not expose this LDAP server in to Enterprise Identity Server as a user store due to security reasons.

How we can do this?  We can achieve this by implementing the federated authentication with my organization’s Identity Server.

Partner organization can install an Identity Provider (Any IDP that supports standard authentication protocols) like Identity Server which would be connected with LDAP server. Therefore users from the partner organization who need to login to the web application can be redirected to Partner’s Identity Server and can be authenticated with their own LDAP Server.

With Identity Server, you can configure multiple federated identity providers that users can be authenticated. In this use case, users from its own enterprise can be authenticated with enterprise user store and users from partner organization, can be authenticated with Partner’s Identity Server. We can use SAML2 SSO or OpenId or OpenId-Connect to integrate these two Identity Server.

Today let see how we can integrate using OpenId-Connect.

Let assume, we have already configure the my organization’s Identity Server with OpenId-Connect or SAML2 SSO web application.

Configure Partner Identity Server

Step 1. Configure OAuth2 service provider application

Let assume, Partner Identity Server also running in same machine with port offset 1. It means in 9444 port in same host. (You can configure the port offset using carbon.xml file)

You only need to register an OAuth Application. You can find more details from here. Please note callback url must be my organization’s Identity Server url which would be


Configure Partner Identity Server as in Federated IDP

Lets go back to my organization’s Identity Server and configure the Partner Identity Server

Step 1. Login Identity Server managemet console

Step 2. Register new IDP

You need provide a name for IDP config

Go to “OAuth2/OpenID Connect Configuration” and Register following details.

1. Enable / Default – You can enable and set as default

2. Authorization Endpoint URL – https://localhost:9444/oauth2/authorize/

3. Token Endpoint URL – https://localhost:9444/oauth2/token/

4. Client Id – You can get from created OAuth 2.0 Application in Partener Identity Server

5. Client Secret – You can get from created OAuth 2.0 Application in Partener Identity Server

6. Additional Query Parameters – scope=openid

Now you are done with configuring the Partener Identity Server as trusted IDP

Step 3. Configure the Partener-Identity-Server as Federated IDP for Web application.

There are two ways that you can configure the Google IDP as Federated IDP.

One way is, just configure it as a federated authentication IDP for web application. Then, once user tries to access the web application, user would be redirect artener-Identity-Server login page via the identity Server. In here, only the users who can be authenticated via Partener-Identity-Server, can login to web application.

Or less, you can configure using Advance Configuration. Here we configure one step that contains two option of authentication. One is basic authentication that allows to authenticate users from enterprise user store. Other one is Partener-Identity-Server IDP. Once you configure like this, users who are accessing to web application would be promoted a IDP login page with both options. Therefore users from Partener-Identity-Server IDP and enterprise user store can login to web application.

Step 4. Try out .. lets try to login to web application. If you have configured using Advance Configuration, you would see following login page in the Identity Server.

Once you click on Partener-Identity-Server IDP, You would be redirected to Partener-Identity-Server login page. You can see the url has been change to 9444.