Enabling SSO for WSO2 APIM 3.0.0

In APIM 3.0.0 earlier we did not have enabled the Single Sign On (SSO) for Store/Publisher applications and now we have enabled SSO for Store/Publisher applications. That is, as a Store user when you authenticated against Store, now you do not have to authenticate yourself again for the Publisher.

SSO has implemented using the OpenID Connect (OIDC) with authorization code grant type.

Authentication flow of the authorization code grant type contains following main steps as per the specification.

Figure 1: Create DCR application and Redirect the user to IS login
  • Register a Service Provider -> Register the application as a Service Provider in the Identity Server.
  • Authorization Code Request -> When you log into the WSO2 Identity Server (IS), it sends the authorization code request to the authorization endpoint of the IS with the following query parameters.
client_id=<Client ID of the Service Provider>
redirect_uri=<Callback URL given when registering the Service Provider>
  • Authorization Code Response -> In the authorization code response, you will be retrieving an authorization code and the session state.
  • Access Token Request -> Send a request to the token endpoint of the IS with the following query parameters.
client_id=<Client ID of the registered Service Provider>
client_secret=<Client secret of the registered Service Provider>
code=<Authorization code received>
redirect_uri=<Same callback URL given in authorization code request>
  • Access Token Response -> In the access token response, you will retrieving an access token and optionally a refresh token.
Figure 2: Authorization code and Access token requests

How to Configure and Enable SSO for WSO2 APIM 3.0.0

In order to configure and enable SSO for APIM 3.0.0 Store/Publisher applications, follow the below instructions.

  • Open the <API-M_HOME>/conf/deployment.yaml file and add the following authentication configurations to it.
# APIM Store/Publisher Configuration Parameters
apimBaseUrl: https://localhost:9292/
# Authorization Endpoint
authorizationEndpoint: https://localhost:9443/oauth2/authorize
# SSO Enabled or not
ssoEnabled: false
  • To enable SSO for the API Store/Publisher, set the ssoEnabled parameter to true.
  • Save your changes and restart the API Manager server.

Now you can experience the SSO feature for APIM 3.0.0.