Configuring external IdPs in Asgardeo Using OpenID Connect Protocol

Hello everyone. In this article let’s discuss how we can connect external identity providers with Asgardeo.

In this article, I will use the abbreviation “IdP” for the term “Identity Provider”. As you may know, an Identity Provider is responsible for authenticating users and issuing identification information by using security tokens like SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Trust.

To know more about identity providers, you can refer to the Asgardeo documentation about authentication.

Authentication

Please note that you can integrate any external IDP using OpenID Connect or SAML protocol to Asgardeo.

Why do we need to integrate external IdP?

For example,

If you have a set of users already managed in another IdP and want to enable a seamless login experience with Asgardeo
Or,
if you want strong authentication with MFA capabilities in Asgardeo rather than just log in, you can configure your existing identity providers in Asgardeo.

To demonstrate the scenario I will be using deployed a Keycloak instance and sample React application with Asgardeo auth React SDK integration. You can find how to integrate Asgardeo React SDK into your existing React application from my previous article below.

React Application — User Authentication With Asgardeo

If you are interested in trying out keycloak, you can try the free plan of keylock deployment from below.

Cloud IAM — Keycloak Identity and Access Management as a Service

I am hoping to write two articles on this topic as one is about how to connect external IdP with OpenID Connect and another one is about how to connect external IdP with SAML protocol.

Connect external IdP with Asgardeo Using OpenID Connect Protocol

With Asgardeo you can integrate different identity providers with the OpenID Connect protocol. This can be done in easy 3 steps.

1. Configuring Asgardeo as a service provider in Keycloak
2. Create a new connection in the Asgardeo console for Keycloak
3. Configure our new connection with keycloak information

1. Configuring Asgardeo as a service provider in Keycloak

• Click on “create” to configure Asgardeo as a service provider in keycloak.

Optional: You can change the realm name as you want from the “Realm Settings”

• Configure new client by entering Client ID. Ignore Root URL for now.

• Click “Save”. After that, you will be redirected to a page like this.

• Configure the below fields with suitable information.

# Change the value of Access Type from public to confidential.

# Add “Valid Redirect URL” with the following format

https://api.asgardeo.io/t/{organization_name}/commonauth

# Enter “Backchannel Logout URL”.

https://api.asgardeo.io/t/{organizaiton_name}/oidc/logout

# Click “Save”

• The configuration would be like below.

• You can find client-secret from the credentials tab.

2. Create a new connection in the Asgardeo console for Keycloak

In this step, we will create a new connection in the Asgardeo console for keycloak. You can find more about configuring enterprise IdPs in the Asgardeo console from the following documentation.

IdP Configurations

• Go to Develop -> Connections on Asgardeo Console and click on “New Connection”

• Select “Standard-Based IdP”

• Enter a name for identity provider and select OpenID Connect as protocol(this will be selected by default).

• Click Next.

3. Configure our new connection with keycloak information

• Enter the client ID and Secret values of the service provider(client) application that we created on keycloak for client-id and client-secret fields. Authorization and token URLs should be in the following format.

Client ID : Asgardeo
Client Secret : 03c94184-da1f-4e87-9915-7d9dff9a14a4
Authorization endpoint: https://<host:port>/auth/realms/<realm>/protocol/openid-connect/auth
Token endpoint: https://<host:port>/auth/realms/<realm>/protocol/openid-connect/token

Optional: You can find the Authorize URL and Token URL of your application from the endpoint below.

Format: GET
https://<host:port>/auth/realms/<realm_name>/.well-known/openid-configuration
Eg: GET
https://lemur-8.cloud-iam.com/auth/realms/Dev/.well-known/openid-configuration

API Response :

{
    "issuer": "https://lemur-8.cloud-iam.com/auth/realms/Dev",
    "authorization_endpoint": "https://lemur-8.cloud-iam.com/auth/realms/Dev/protocol/openid-connect/auth",
    "token_endpoint": "https://lemur-8.cloud-iam.com/auth/realms/Dev/protocol/openid-connect/token",
    "introspection_endpoint": "https://lemur-8.cloud-iam.com/auth/realms/Dev/protocol/openid-connect/token/introspect",
    "userinfo_endpoint": "https://lemur-8.cloud-iam.com/auth/realms/Dev/protocol/openid-connect/userinfo",
    "end_session_endpoint": "https://lemur-8.cloud-iam.com/auth/realms/Dev/protocol/openid-connect/logout",
    "jwks_uri": "https://lemur-8.cloud-iam.com/auth/realms/Dev/protocol/openid-connect/certs",
    "check_session_iframe": "https://lemur-8.cloud-iam.com/auth/realms/Dev/protocol/openid-connect/login-status-iframe.html",
    ...
    ...
}

• Click Next.
• Enter JWKS endpoint or certificate PEM format of the keycloak server. You can find this URL from the above endpoint response.

JWKS Endpoint :
https://<host:port>/auth/realms/<realm>/protocol/openid-connect/certs

• Click Finish.

Now we completed the steps on how to configure an external standard identity provider (in this case Keycloak) using the OpenID Connect protocol in Asgardeo.

Next, Let’s discuss how we can use this connection for login to an application.

Log in to an Application using External Identity Provider Connection

we can achieve this by following below two steps.

1. Create a new user in Keycloak to log in to our sample application.
2. Add our new keycloak connection to an existing application as a sign-in option.

1. Create a new user in Keycloak to log in to our sample application

• To see all the existing users click on “View all users”.

• we can add a new user by clicking on the “Add user” button. Enter relevant information to the fields like below.

• Click Save.
• Click on the “Credentials” tab and enter a new password and click “Set Password”. Change the value of the Temporary field from ON to OFF.

2. Add our new keycloak connection to an existing application as a sign-in option

As we have a new external IdP connection in Asgardeo, we can use it to log in to our applications as a new sign-in option. To demonstrate this I will use an existing SPA React application that I have already registered in the Asgardeo console.

You can find how we can integrate Asgardeo into existing React applications from my previous article below.

React Application — User Authentication With Asgardeo

Also, you can find the sample react application source code I am using for this demonstration below.

GitHub - DimuthuKasunWP/React-Asgardeo-Sample-Application at v1.0

• To add a new Sign-In option to an application, click on the Sign-In Method tab of your application on the Asgardeo console.

• Click “Add Authentication”

• Select the connection and click Add.

• Finally, click Update.

Let’s try to login into our application.

As you can see now we have our new sign-in method with Keycloak IdP we have configured. Let’s log in to our application using this option with the user’s credentials we have created on keycloak earlier.

Cheers! Login was a success.

As our login was succussed, you can find the provisioned user from keycloak to Asgardeo from Manage -> Users.

So, hope you got some idea about how to configure external enterprise identity providers using the OpenID Connect protocol.

Check out my article about how to configure external enterprise IdPs in Asgardeo using the SAML protocol from below.

Configuring external IdPs in Asgardeo Using SAML Protocol

Thank you for reading this article.