Identity & Access Management
Enterprise Login for Choreo
Powered by Choreo’s default IDP: Asgardeo
Enterprise login has been a critical feature for any organization or service that already has an Identity Provider(IDP) where the users reside and want to bring that identity to any new service.
Use case
In one of my previous blogs, I told you about Atman, one of my FYP team members, who was trying to monetize the model we designed, and ended up using Asgardeo for Identity Management. As an update, he got a research scholarship at Vanheim Research Institute(VRI). VRI has planned to expose the service of the model as an API. VRI exposes several APIs related to machine vision for general use. And VRI has Auth0 as their IDP. But when they are trying to involve API management and include integrations with payment gateways and other vendors as a way of expanding their presence and business, VRI realized about Choreo through my friend Atman, to whom I was actually evangelizing, interested in joining as a customer realizing the ease of management, low-code nature for integrations and the Identity eco-system (Asgardeo and its features) that Choreo is readily providing. But the concern is the hassle of migrating users to the new IDP. But hell yeah, VRI doesn't need to. They opt-in for enterprise login management where Choreo allows them to bring their own identity.
Let’s enable Enterprise Login Flow
- Create an organization in Choreo
First of all, you have to sign in to Choreo before enabling the enterprise login feature. And create an organization if not you have already created one.
Please note that you have to create the organization with the same name at Asgardeo which is the default IDP for Choreo. But the name will already be reserved for the owner. Hence you can visit https://console.asgardeo.io/ and proceed to create the mentioned organization with the same user. Follow this guide[3] to signup and create an organization in Asgardeo.
2. Configure enterprise login for your Choreo organization
For this, you first have to send a request to the Choreo team through choreo-help@wso2.com
mentioning your organization(vanheim) to which you want to enable enterprise login, and the email domains you own so that we can identify the end-users who belong to your IDP.
Organization name: “vanheim”
Email domains: “@vanheim.com”, “@vanheimResearchIn.com”, and “@vanheim.eu”
Please note that there will be a process to validate and ensure that the organization and the email domain belong to you. After the validation process, the Choreo team will let you know when the team has enabled Enterprise login for your organization.
While the team enables enterprise login for your organization, there will be mapping for email domain vs organization being added. And the enablement creates an application named “WSO2_LOGIN_FOR_CHOREO_CONSOLE” at the Asgardeo console which has configuration restrictions only to update the sign-in method.
There should be a request made again to revoke the enablement of the feature, which will remove the application and the mapping as well. And of course, there is an update feature which also should be requested through the Choreo help desk through which you can update email domains that you own from time to time.
3. Bring your own identity
Now you can visit your Asgardeo organization and create a new connection at Manage → Connections
[2]. Since Vanheim has Auth0 as the IDP, we have configured Auth0. More preferably you can disable JIT-Provisioning(Advanced section) as there is no requirement to provision the user.
4. After configuring your connection, you can go to manage --> applications
and observe that there is an application named WSO2_LOGIN_FOR_CHOREO_CONSOLE.
Please note that protocols and the general section are un-editable and pre-configured for the ease of the user.
When you get into the edit section(sign-in method) you can update your authentication steps (add the external connection you created). For example, since our external IDP is Auth0, we have added Auth0(configured in Step3) as the only step here in the authentication sequence.
5. Now you can try the flow from Choreo
a. Choose Enterprise IDP login
b. Provide the username (Eg: vivek@vanheim.com).
As we already discussed, asgardeo will identify the organization and then will be redirected to the application WSO2_LOGIN_FOR_CHOREO_CONSOLE application generated in the organization.
c. Based on the sign-in methods configured, you will be redirected (in our case taken to Auth0) to the login page where the users of VIR can authenticate themselves and need not create an account at Asgardeo (or rather on Choreo side)
d. User can try login and you could see the user be able to access Choreo under your organization without creating or migrating any user base. Choreo through Asgardeo has supported “Bring your own identity”
If there are any clarifications, please feel free to raise your concerns.
References
[1] https://wso2.com/choreo/docs/references/enterprise-login/
[2] https://wso2.com/asgardeo/docs/guides/authentication/enterprise-login/
[3] https://wso2.com/asgardeo/docs/get-started/create-asgardeo-account/