This documentation is for WSO2 API Manager 1.9.0 View documentation for the latest release.
Configuring Single Sign-on with SAML2 - API Manager 1.9.0 - WSO2 Documentation
||
Skip to end of metadata
Go to start of metadata

Single sign-on (SSO) allows users, who are authenticated against one application, gain access to multiple other related applications without having to repeatedly authenticate themselves. It also allows the Web applications gain access to a set of back-end services with the logged-in user's access rights, and the back-end services can authorize the user based on different claims like user role.

The Single Sign-On with SAML 2.0 feature in the API Manager is implemented according to the SAML 2.0 browser-based SSO support that is facilitated by WSO2 Identity Server (IS). This feature is available in any IS version from 4.1.0 onwards. We use IS 5.0.0 in this guide. WSO2 Identity Server acts as an identity service provider of systems enabled with single sign-on, while the Web applications act as SSO service providers. Using this feature, you can configure SSO across the API Publisher and Store. After configuring, you can access the API Store or API Publisher in a single authentication attempt.

To learn more about Single Sign-On with WSO2 Identity Server, refer the following article on WSO2 library: http://wso2.org/library/ articles/2010/07/saml2-web-browser-based-sso-wso2-identity-server

The topics below explain the configurations: 

Sharing the user store

First, point both WSO2 IS and WSO2 API Manager to a single user store using the instructions given in section Configuring User Stores. You do this to make sure that a user who tries to log in to the API Manager console, the API Store or the Publisher is authorized. When a user tries to log in to either of the three applications, s/he is redirected to the configured identity provider (WSO2 IS in this case) where s/he provides the login credentials to be authenticated. In addition to this, the user should also be authorized by the system as some user roles do not have permission to perform certain actions. For the purpose of authorization, the IS and API Manager need to have a shared user store and user management database (by default, this is the H2 database in the <APIM_HOME>/repository/conf/user-mgt.xml file) where the user's role and permissions are stored.

For example, let's take a common JDBC user store (MySQL) for both IS and API Manager.

  1. Create a MySQL database (e.g., 410_um_db) and run the <APIM_HOME>/dbscripts/mysql.sql  script on it to create the required tables. 
    If you are using a different database type, find the relevant script from the <APIM_HOME>/dbscripts directory.

  2. Open <APIM_HOME>/repository/conf/datasources/master-datasources.xml file and add the datasource configuration for the database that you use for the shared user store and user management information. For example,

    <datasource>
         <name>WSO2_UM_DB</name>
         <description>The datasource used for registry and user manager</description>
         <jndiConfig>
                  <name>jdbc/WSO2UMDB</name>
         </jndiConfig>
         <definition type="RDBMS">
                  <configuration>
                      <url>jdbc:mysql://localhost:3306/410_um_db</url>
                      <username>username</username>
                      <password>password</password>
                      <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                      <maxActive>50</maxActive>
                      <maxWait>60000</maxWait>
                      <testOnBorrow>true</testOnBorrow>
                      <validationQuery>SELECT 1</validationQuery>
                      <validationInterval>30000</validationInterval>
                  </configuration>
           </definition>
    </datasource>
  3. Add the same datasource configuration above to <IS_HOME>/repository/conf/datasources/master-datasources.xml file.

  4. Copy the database driver JAR file to the <IS_HOME>/repository/components/lib and <APIM_HOME>/repository/components/lib directories.

  5. Open <APIM_HOME>/repository/conf/user-mgt.xml file. The dataSource property points to the default H2 database. Change it to the jndiConfig name given above (i.e., jdbc/WSO2UMDB). This changes the datasource reference that is pointing to the default H2 database.

    <Realm>
            <Configuration>
                ...
                <Property name="dataSource">jdbc/WSO2UMDB</Property>
            </Configuration>
            ...
    </Realm> 
  6. Add the same configuration above to the <IS_HOME>/repository/conf/user-mgt.xml file.
  7. The Identity Server has an embedded LDAP user store by default. As this is enabled by default, follow the instructions in Internal JDBC User Store Configuration to disable the default LDAP and enable the JDBC user store instead.

Sharing the registry space

In a multi-tenanted environment, by default, the Identity Server uses the key store of the super tenant to sign SAML responses. The API Store and Publishers are already registered as SPs in the super tenant. However, if you want the Identity Server to use the registry key store of the tenant that the user belongs to, you can create a common registry database and mount it on both the IS and the APIM.

  1. Create a MySQL database (e.g., registry) and run the <IS_HOME>/dbscripts/mysql.sql script on it to create the required tables. 
    If you are using a different database type, find the relevant script from the <IS_HOME>/dbscripts  directory.

  2. Add the following datasource configuration to both the <IS_HOME>/repository/conf/datasources/master-datasources.xml and  <APIM_HOME>/repository/conf/datasources/master-datasources.xml files.

    <datasource>
        <name>WSO2REG_DB</name>
        <description>The datasource used for registry</description>
        <jndiConfig>
            <name>jdbc/WSO2REG_DB</name>
        </jndiConfig>
        <definition type="RDBMS">
            <configuration>
                <url>jdbc:mysql://localhost:3306/registry?autoReconnect=true&amp;relaxAutoCommit=true&amp;</url>
                <username>apiuser</username>
                <password>apimanager</password>
                <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                <maxActive>50</maxActive>
                <maxWait>60000</maxWait>
                <testOnBorrow>true</testOnBorrow>
                <validationQuery>SELECT 1</validationQuery>
                <validationInterval>30000</validationInterval>
            </configuration>
        </definition>
    </datasource> 
  3. Create the registry mounts by inserting the following sections into the <IS_HOME>/repository/conf/registry.xml file.

    When doing this change, do not replace the existing <dbConfig> for "wso2registry". Simply add the following configuration to the existing configurations.

    <dbConfig name="govregistry">
            <dataSource>jdbc/WSO2REG_DB</dataSource>
    </dbConfig>
     
    <remoteInstance url="https://localhost">    
            <id>gov</id>
            <dbConfig>govregistry</dbConfig>
            <readOnly>false</readOnly>
            <enableCache>true</enableCache>
            <registryRoot>/</registryRoot>
    </remoteInstance>
     
    <mount path="/_system/governance" overwrite="true">
            <instanceId>gov</instanceId>
            <targetPath>/_system/governance</targetPath>
    </mount>
     
    <mount path="/_system/config" overwrite="true">
           <instanceId>gov</instanceId>
           <targetPath>/_system/config</targetPath>
    </mount>
  4. Repeat the above step in the <APIM_HOME>/repository/conf/registry.xml file as well.

Next, let us look at the SSO configurations. 

Configuring WSO2 Identity Server as a SAML 2.0 SSO Identity Provider

  1. Start the IS server and log in to its Management Console UI ( https://localhost:9443/carbon). 

    If you use login pages that are hosted externally to log in to the Identity Server, give the absolute URLs of those login pages in the authenticators.xml and application-authenticators.xml files in the <IS_HOME>/repository/conf/identity directory.

  2. Select Add under Service Providers menu.
  3. Give a service provider name and click Register.

    In a multi tenanted environment, for all tenants to be able to log in to the APIM Web applications, do the following:

    • Click the SaaS Application option that appears after registering the service provider.

      If not, only users in the current tenant domain (the one you are defining the service provider in) will be allowed to log in to the Web application and you have to register new service providers for all Web applications (API Store and API Publisher in this case) from each tenant space separately. For example, let's say you have three tenants as TA, TB and TC and you register the service provider in TA only. If you tick the SaaS Application option, all users in TA, TB, TC tenant domains will be able to log in. Else, only users in TA will be able to log in.

    • Add the following inside the <SSOService> element in the <IS_HOME>/repository/conf/identity.xml file and restart the server.

      <SSOService>
            <UseAuthenticatedUserDomainCrypto>true</UseAuthenticatedUserDomainCrypto>
            ...
      </SSOService>

      If not, you get an exception as SAML response signature verification fails.

    • Because the servers in a multi-tenanted environment interact with all tenants, all nodes should share the same user store. Therefore, make sure you have a shared registry (JDBC mount, WSO2 Governance Registry etc.) instance across all nodes.
  4. You are navigated to the detailed configuration page. Expand SAML2 Web SSO Configuration inside the Inbound Authentication Configuration section.

  5. Provide the configurations to register the API Publisher as the SSO service provider. These sample values may change depending in your configuration.

      • Issuer : API_PUBLISHER
      • Assertion Consumer URL : https://localhost:9443/publisher/jagg/jaggery_acs.jag. Change the IP and port accordingly. This is the URL for the acs page in your running publisher app.
      • Select the following options:

        • Use fully qualified username in the NameID

        • Enable Response Signing

        • Enable Assertion Signing

        • Enable Single Logout

      • Click Register once done.

    For example:

  6. Similarly, provide the configurations to register the API Store as the SSO service provider. These sample values may change depending in your configuration.

      • Issuer: API_STORE
      • Assertion Consumer URL: https://localhost:9443/store/jagg/jaggery_acs.jag. Change the IP and port accordingly. This is the URL for the acs page in your running store app.
      • Select the following options:
        • Use fully qualified username in the NameID
        • Enable Response Signing
        • Enable Assertion Signing
        • Enable Single Logout
      • Click Register once done.
  7. Make sure that the responseSigningEnabled element is set to true in both the following files:
    • <APIM_HOME>/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json
    • <APIM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json

Configuring WSO2 API Manager apps as SAML 2.0 SSO service providers

  1. Open <APIM_HOME>/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json and modify the following configurations found under ssoConfiguration.
    • enabled: Set this value to true to enable SSO in the application
    • issuer: API_PUBLISHER. This value can change depending on the Issuer value defined in WSO2 IS SSO configuration above.
    • identityProviderURL: https://localhost:9444/samlsso. Change the IP and port accordingly. This is the redirecting SSO URL in your running WSO2 IS server instance.
    • keyStoreName: A keystore which has an IDps public key. As you use a remote instance of WSO2 IS here, you can import the public certificate of the IS keystore to the APIM and then point to the APIM keystore. The default keystore of the APIM is <APIM_HOME>/repository/resources/security/wso2carbon.jks Be sure to give the full path of the keystore here.
    • keyStorePassword: Password for the above keystore
    • identityAlias: wso2carbon
  2. Similarly, configure the API Store with SSO. The only difference in API Store SSO configurations is setting API_STORE as the issuer.

    Tip: If you configure SSO for the API Manager's Management Console as well, you must reduce the priority of the SAML2SSOAuthenticator configuration in the <APIM_HOME>/repository/conf/security/authenticators.xml file.

    If not, there will be  login issues in the API Publisher/Store. This is because the SAML2SSOAuthenticator handler does not process only SAML authentication requests. If you set its priority higher than that of the BasicAuthenticator handler, the SAML2SSOAuthenticator tries to process the basic authentication requests as well.

    <Authenticator name="SAML2SSOAuthenticator" disabled="false">
       <Priority>0</Priority>
       ....
    </Authenticator>
  3. Access the API Publisher : https://localhost:<Port number>/publisher (e.g., https://localhost:9443/publisher). Observe the request redirect to the WSO2 IS SAML2.0 based SSO login page. For example,
  4. Enter user credentials. If the user authentication is successful against WSO2 IS, it will redirect to the API Publisher Web application with the user already authenticated.
  5. Access the API Store application, click its Login link (top, right-hand corner) and verify that the same user is already authenticated in API Store.

Even with SSO enabled, if the user doesn't have sufficient privileges to access API Publisher/Store or any other application, s/he will not be authorized to access them.

The steps above explain how to configure SSO between the API Publisher and Store Jagger applications, using WSO2 IS as the IDP. If there are many WSO2 products in your environment, you can configure SSO for the management consoles of those products by changing the SAML2SSOAuthenticator configuration in <PRODUCT_HOME>/repository/conf/security/authenticators.xml file as follows:

  • Set disabled attributes in <Authenticator> element to false
  • ServiceProviderID : In this example, it is the issuer name of the service provider created in step 1
  • IdentityProviderSSOServiceURL : In this example, it is the Identity Server port

    <Authenticator name="SAML2SSOAuthenticator" disabled="false">
            <Priority>10</Priority>
            <Config>
                <Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter>
                <Parameter name="ServiceProviderID">carbonserver1</Parameter>
                <Parameter name="IdentityProviderSSOServiceURL">https://localhost:9444/samlsso&lt;/Parameter>
               <Parameter name="NameIDPolicyFormat">urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</Parameter>
    </Config>

    Make sure the <priority> of the SAML2SSOAuthenticator is less than that of the BasicAuthenticator handler. See here for more information.

Configuring the API Store for SSO in passive mode

If the passive mode is disabled and single sign-on (SSO) is enabled, it redirects the user to the SSO login page. Therefore, as the WSO2 API Store allows anonymous access, passive mode is enabled by default, so that irrespective of whether SSO is enabled or not it directs the user to the API Store URL, and enables the SSO work flow only when the Sign In button is clicked.

To disable the passive mode, set the property named passive to false in the <APIM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json file.

"ssoConfiguration" : {
        ...
        "passive" : "true",
        ...
    },
  • No labels