Asgardeo as the Identity Provider in your APIM deployment
WSO2 API Manager is a complete & one of the best solutions for designing and publishing APIs, creating and managing a developer community, and routing API traffic.
In this article, let’s discuss how to configure Asgardeo as Identity Provider for Single Sign-On to the Applications in WSO2 API Manager using OpenID Connect Protocol.
Why do we need an Identity Provider?
An Identity Provider (IdP) is capable of managing digital identities in a secure manner. You can integrate your applications with an identity provider to authenticate users and obtain identification information by using security tokens like SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Trust.
Also, it is hard to build an IAM solution in-house, and stay in compliance with regulatory requirements when handling users. So we can use an identity provider to solve and keep the development simple.
Asgardeo as your Identity Provider
Asgardeo is an Identity as a Service (IDaaS) by WSO2. You don’t need to be an identity expert to implement authentication to your application. You can simply register and start using Asgardeo to integrate secure user login to your application. You can register to Asgardeo for free from here. If you already have an account, sign in from here.
Asgardeo Configurations
- Create OIDC Standard Application in Asgardeo Console.
2. Go to the Protocol tab and allow Authorization Code(Code) grant as an allowed grant type.
3. Add “https://localhost:9443/commonauth” as Authorized Redirect URL. Then click Update at bottom of the page.
4. Go to the Manage -> Attributes section and create the below custom attributes.
- asgardeo_user -> This will be used as the subject claim of the application.
- asgardeo_role -> Value of this attribute will use as the user’s role.
5. Click on New Attribute and enter values for the Attribute Name and Attribute Display Name fields. Do the same to create the asgardeo_role attribute.
6. Click Finish. You will be redirected to the Attribute configuration page. Change the below configurations.
- Tick -> Display this attribute on the user’s profile
- Tick -> Make this attribute required on the user’s profile
7. Click the Update button at the bottom of the page. Update the same configurations for the asgardeo_role attribute.
8. Go to the Manage -> Scopes section and click on Open ID to add these custom attributes to the openid scope.
9. Go to the User Attributes tab on the application configuration page. Add the “asgardeo_user” and “asgardeo_role” attributes and make them mandatory. Then click Update.
10. Go to Manage -> Users section and create a new customer account. This is the user that we will use when authenticating with Asgardeo.
11. Click Finish. You will be redirected to the users' profile page. add a unique value for the “Asgardeo User” field. This value will act as the subject claim for the application. Also, set the “Asgardeo Role” value as “APIM”.
12. Currently, the subject claim of the ID token will be the User ID(UUID) and APIM will take this as the user name. If you want to change the subject claim you can do it using Application Management API. Currently, there is no option to update the subject claim from the Asgardeo console.
- Import this postman collection and update the organization name in the collection variables.
https://www.getpostman.com/collections/e6cea56a6ffbdb9fbb3a - To invoke Application Management API, need to get an access token via client_credentials grant. Update the Asgardeo Application’s client_id, client_secret values in the token request.
- Get the application id from the GET ALL Applications request and update the subject claim using the PATCH request in the collection. (Make sure to add the additional claims to the request body if you have any). Here update the subject claim to “asgardeo_user”.
Note: If you don’t change the subject claim, need to change the policy from the deployment.toml file to match the UUID.
APIM Configurations
- Go to the identity providers section using Management Console and add a new Identity Provider.
- JWKS Endpoint: https://api.asgardeo.io/t/<org_name>/oauth2/jwks
- Alias: Audience value of the ID token received from the Asgardeo(“aud” attribute value). By default, this will be the Client_ID of the Asgardeo Application.
- Issuer Name : https://api.asgardeo.io/t/<org_name>/oauth2/token
2. Go to the Federated Authenticators section and add OAuth2/OpenID Connect configurations. You can find the Asgardeo endpoint details from the Info section on your Asgardeo application page.
Enable OAuth2/OpenIDConnect : TrueDefault : TrueClient Id : <client_id>Client Secret : <client_secret>Authorization Endpoint URL : https://api.asgardeo.io/t/<org_name>/oauth2/authorizeToken Endpoint URL : https://api.asgardeo.io/t/<org_name>/oauth2/tokenCallback Url :
https://localhost:9443/commonauthUserinfo Endpoint URL : https://api.asgardeo.io/t/<org_name>/oauth2/userinfoLogout Endpoint URL : https://api.asgardeo.io/t/<org_name>/oidc/logoutOpenID Connect User ID Location : User ID found among claimsAdditional Query Parameters : scope=openid
3. Enable JIT Provisioning and select Provision Silently
4. Go to Role configuration and configure it as below. Here we have to use the same value that was already specified in the Asgardeo user claim. Here “asgardeo_role” is the Role that we need to create in the APIM Management console.
5. Go to Claim Configurations and configure it as follows.
6. Create a new role “asgardeo_role“ in the Management Console and add the below permissions.
Governance — full permissions
Login
Govern — full permissions
API — full permissions7. Go to the Admin console and assign relevant scopes to the “asgardeo_role” Role. If you are trying to access the Dev portal you need to select the below scopes. Likewise, you need to select the scopes that are required for other service providers(publisher portal, etc) as well. Otherwise, you can’t see the UI elements of that particular application.
SSO to Dev Portal and Publisher Portal
Let’s Login to the Dev Portal Application in APIM with Asgardeo.
- Go to service providers and select Asgardeo IdP as federated IdP from Outbound configurations for the “apim_devportal” service provider.
2. Log in to the Dev portal application using Asgardeo with the User we created.
3. To try out SSO flow, you can specify Asgardeo as Federated IdP for the Publisher portal. Here you need to add the publisher scopes to the “asgardeo_role” Role from the Admin Portal.
Hope you got some idea about how to configure Asgardeo as an external Idenity Provider in WSO2 APIM.
Now, You can look into other capabilities of Asgardeo. Such as,
- Enable social sign-in with Google, Facebook, and GitHub using pre-defined templates.
- Configure external identity providers that can connect with open standards like OpenID Connect and SAML to your application.
- Choose from a variety of methods such as Email OTP, SMS OTP, and TOTP for 2FA.
- Use the Asgardeo SDKs to integrate Asgardeo with various technology stacks.
Thank you for reading this article !
