Identity & Access Management

Enterprise Login for Choreo

Powered by Choreo’s default IDP: Asgardeo

Fig.1. Sample page for `Sign-in with Enterprise Login`

Enterprise login has been a critical feature for any organization or service that already has an Identity Provider(IDP) where the users reside and want to bring that identity to any new service.

Use case

In one of my previous blogs, I told you about Atman, one of my FYP team members, who was trying to monetize the model we designed, and ended up using Asgardeo for Identity Management. As an update, he got a research scholarship at Vanheim Research Institute(VRI). VRI has planned to expose the service of the model as an API. VRI exposes several APIs related to machine vision for general use. And VRI has Auth0 as their IDP. But when they are trying to involve API management and include integrations with payment gateways and other vendors as a way of expanding their presence and business, VRI realized about Choreo through my friend Atman, to whom I was actually evangelizing, interested in joining as a customer realizing the ease of management, low-code nature for integrations and the Identity eco-system (Asgardeo and its features) that Choreo is readily providing. But the concern is the hassle of migrating users to the new IDP. But hell yeah, VRI doesn't need to. They opt-in for enterprise login management where Choreo allows them to bring their own identity.

Let’s enable Enterprise Login Flow

1. Create an organization in Choreo

First of all, you have to sign in to Choreo before enabling the enterprise login feature. And create an organization if not you have already created one.

Fig.2. Create an organization in Choreo

Please note that you have to create the organization with the same name at Asgardeo which is the default IDP for Choreo. But the name will already be reserved for the owner. Hence you can visit https://console.asgardeo.io/ and proceed to create the mentioned organization with the same user. Follow this guide[3] to signup and create an organization in Asgardeo.

Fig.2. Creating the same organization (vanheim) in Asgardeo

2. Configure enterprise login for your Choreo organization

For this, you first have to send a request to the Choreo team through choreo-help@wso2.commentioning your organization(vanheim) to which you want to enable enterprise login, and the email domains you own so that we can identify the end-users who belong to your IDP.

Organization name: “vanheim”
Email domains: “@vanheim.com”, “@vanheimResearchIn.com”, and “@vanheim.eu”

Please note that there will be a process to validate and ensure that the organization and the email domain belong to you. After the validation process, the Choreo team will let you know when the team has enabled Enterprise login for your organization.

While the team enables enterprise login for your organization, there will be mapping for email domain vs organization being added. And the enablement creates an application named “WSO2_LOGIN_FOR_CHOREO_CONSOLE” at the Asgardeo console which has configuration restrictions only to update the sign-in method.

There should be a request made again to revoke the enablement of the feature, which will remove the application and the mapping as well. And of course, there is an update feature which also should be requested through the Choreo help desk through which you can update email domains that you own from time to time.

3. Bring your own identity

Now you can visit your Asgardeo organization and create a new connection at Manage → Connections[2]. Since Vanheim has Auth0 as the IDP, we have configured Auth0. More preferably you can disable JIT-Provisioning(Advanced section) as there is no requirement to provision the user.

Fig.4. Create a connection for the IDP you bring in

4. After configuring your connection, you can go to manage --> applications and observe that there is an application named WSO2_LOGIN_FOR_CHOREO_CONSOLE.

Fig.5. Enterprise login Management app

Please note that protocols and the general section are un-editable and pre-configured for the ease of the user.

Fig.6. Pre-configured protocol section

When you get into the edit section(sign-in method) you can update your authentication steps (add the external connection you created). For example, since our external IDP is Auth0, we have added Auth0(configured in Step3) as the only step here in the authentication sequence.

Fig.7. Configurable Sign-in section

5. Now you can try the flow from Choreo

a. Choose Enterprise IDP login

Fig.8. Choose Enterprise login flow

b. Provide the username (Eg: vivek@vanheim.com).

Fig.9. Username and continue

As we already discussed, asgardeo will identify the organization and then will be redirected to the application WSO2_LOGIN_FOR_CHOREO_CONSOLE application generated in the organization.

c. Based on the sign-in methods configured, you will be redirected (in our case taken to Auth0) to the login page where the users of VIR can authenticate themselves and need not create an account at Asgardeo (or rather on Choreo side)

Fig.10. Auth0 login page.

d. User can try login and you could see the user be able to access Choreo under your organization without creating or migrating any user base. Choreo through Asgardeo has supported “Bring your own identity”

If there are any clarifications, please feel free to raise your concerns.

References

[1] https://wso2.com/choreo/docs/references/enterprise-login/

[2] https://wso2.com/asgardeo/docs/guides/authentication/enterprise-login/

[3] https://wso2.com/asgardeo/docs/get-started/create-asgardeo-account/