This documentation is for WSO2 API Manager 2.5.0. View documentation for the latest release.

All docs This doc

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated the placeholders

...

Step 5 - Configure the Identity Provider

Configure an Identity Provider of your choice. In this example we use WSO2 IS as the Identity Provider (IdP).

Follow the instructions below to configure WSO2 IS as the Identity Provider ( IdP):

  1. Start WSO2 Identity Server.

    • On Windows: <IS_HOME>/bin/wso2server.bat --run

    • On Linux/Mac OS: sh <IS_HOME>/bin/wso2server.sh

  2. Create a service provider (SP) for the Store. For more detailed information, see Adding and Configuring a Service Provider in the WSO2 Identity Server 5.6.0 documentation.

    1. Create a service provider (SP) as API_STORE with a inbound OAuth/oidc callback URL as https://<APIM-hostname>:9443/store/jagg/jaggery_oidc_acs.jag  and enable the authorization-code grant type, by checking the Code checkbox that corresponds to Allowed Grant Types.
      <APIM-hostname> - Replace this with the hostname of the WSO2 API Manager Server.

    2. Add claim mapping and set the  http://wso2.org/claims/displayName as the local claim and make it a mandatory claim.
      Your configurations should look similar to the following after creating the service provider.

  3. Create a service provider for the Publisher.

    1. Create a service provider as API_PUBLISHER with a inbound OAuth/oidc callback URL as https://<APIM-hostname>:9443/publisher/jagg/jaggery_oidc_acs.jag  and enable the authorization-code grant type. 
      <APIM-hostname> - Replace this with the hostname of the WSO2 API Manager Server.

    2. Add claim mapping and set the  http://wso2.org/claims/displayName  as the local claim and make it a mandatory claim.
      Your configurations should look similar to the following after creating the service provider.

Step 6 - Configure WSO2 API-M 

Configure WSO2 API-M with the Identity Provider.

Follow the instructions below to configure WSO2 API-M with WSO2 IS, which is the Identity Provider in this example.

  1. Configure the API Store. For more detailed information, see Adding and Configuring a Service Provider in the WSO2 Identity Server 5.7.0 documentation.
    1. Navigate to the <API-M_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json file.
    2. Edit the oidcConfiguration section to point to the IdP that you configured in step 5.

      Localtab Group
      id
      Localtab
      activetrue
      idstoreformatoidc
      titleFormat
      Code Block
      "oidcConfiguration" : {
          "enabled" : "true",
          "issuer" : "API_STORE",
          "identityProviderURI" : "https://<IS<IdP-hostname>:<IS<IdP-port>/oauth2/token",
          "authorizationEndpointURI" : "https://<IS<IdP-hostname>:<IS<IdP-port>/oauth2/authorize",
          "tokenEndpointURI" : "https://<IS<IdP-hostname>:<IS<IdP-port>/oauth2/token",
          "userInfoURI" : "https://<IS-hostname>:<IS<IdP-port>/oauth2/userinfo",
          "jwksURI" : "https://<IS<IdP-hostname>:<IS<IdP-port>/oauth2/jwks",
          "logoutEndpointURI" : "https://<IS<IdP-hostname>:<IS<IdP-port>/oidc/logout",
          "authHttpMethod": "POST",
          "clientConfiguration" : {
            "clientId" : "<client-id>",
            "clientSecret" : "<client-secret>",
            "responseType" : "code",
            "authorizationType" : "authorization_code",
            "scope" : "phone email address openid profile",
            "redirectURI" : "https://<APIM-hostname>:<APIM-port>/store/jagg/jaggery_oidc_acs.jag",
            "postLogoutRedirectURI" : "https://<APIM-hostname>:<APIM-port>/store/",
            "clientAlgorithm" : "RS256"
          }
        },
      Localtab

      Make sure to replace the following placeholders with actual values.

      •  <client-id> and the <client-secret>  - Replace these with the credentials that you got when creating the API_STORE service provider.

      • <IdP-hostname> - Replace this with the hostname of the IdP.

      • <IdP-port> - Replace this with the IdP port
      • <APIM-hostname> - Replace this with the hostname of the WSO2 API Manager Server.
      • <APIM-port> - Replace this with the WSO2 APIM port
      Localtab
      idegstoreformatoidc
      titleExample

      In this example WSO2 IS is port offset by 1.

      Code Block
      "oidcConfiguration" : {
          "enabled" : "true",
          "issuer" : "API_STORE",
          "identityProviderURI" : "https://localhost:9444/oauth2/token",
          "authorizationEndpointURI" : "https://localhost:9444/oauth2/authorize",
          "tokenEndpointURI" : "https://localhost:9444/oauth2/token",
          "userInfoURI" : "https://localhost:9444/oauth2/userinfo",
          "jwksURI" : "https://localhost:9444/oauth2/jwks",
          "logoutEndpointURI" : "https://localhost:9444/oidc/logout",
          "authHttpMethod": "POST",
          "clientConfiguration" : {
            "clientId" : "AA5qAA8mr54JJJJI5T56uF9Gvfka",
            "clientSecret" : "itGy_Y_vVaaarDP_9sKKchJgKlwca",
            "responseType" : "code",
            "authorizationType" : "authorization_code",
            "scope" : "phone email address openid profile",
            "redirectURI" : "https://wso2.am:9443/store/jagg/jaggery_oidc_acs.jag",
            "postLogoutRedirectURI" : "https://wso2.am:9443/store/",
            "clientAlgorithm" : "RS256"
          }
        },

      Make sure to replace the following placeholders with actual values.

      •  <client-id> and the <client-secret>  - Replace these with the credentials that you got when creating the API_STORE service provider.

      • <IS<IdP-hostname> - Replace this with the hostname of the WSO2 Identity Server.

      • <IdP-port> - Replace this with the WSO2 IS port
      • <APIM-hostname> - Replace this with the hostname of the WSO2 API Manager Server.Server.
      • <APIM-port> - Replace this with the WSO2 APIM port
  2. Configure the API Publisher.
    1. Navigate to the <API-M_HOME>/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json file.
    2. Edit the oidcConfiguration section to point to the IdP that you configured in step 5.

      Localtab Group
      Localtab
      activetrue
      idformatpublisheroidc
      titleFormat
      Code Block
      "oidcConfiguration" : {
            "enabled" : "true",
            "issuer" : "API_PUBLISHER",
            "identityProviderURI" : "https://<IS<IdP-hostname>:9444<IdP-port>/oauth2/token",
            "authorizationEndpointURI" : "https://<IS<IdP-hostname>:9444<IdP-port>/oauth2/authorize",
            "tokenEndpointURI" : "https://<IS<IdP-hostname>:9444<IdP-port>/oauth2/token",
            "userInfoURI" : "https://<IS<IdP-hostname>:9444<IdP-port>/oauth2/userinfo",
            "jwksURI" : "https://<IS<IdP-hostname>:9444<IdP-port>/oauth2/jwks",
            "logoutEndpointURI" : "https://<IS<IdP-hostname>:9444<IdP-port>/oidc/logout",
            "authHttpMethod": "POST",
            "clientConfiguration" : {
              "clientId" : "<client-id>",
              "clientSecret" : "<client-secret>",
              "responseType" : "code",
              "authorizationType" : "authorization_code",
              "scope" : "phone email address openid profile",
              "redirectURI" : "https://<APIM-hostname>:9443<APIM-port>/publisher/jagg/jaggery_oidc_acs.jag",
              "postLogoutRedirectURI" : "https://<APIM-hostname>:9443<APIM-port>/publisher/"
            }
          },
      Localtab
      idexamplepublisheroidc
      titleExample

      In this example WSO2 IS is port offset by 1.

      Code Block
      "oidcConfiguration" : {
            "enabled" : "true",
            "issuer" : "API_PUBLISHER",
            "identityProviderURI" : "https://localhost:9444/oauth2/token",
            "authorizationEndpointURI" : "https://localhost:9444/oauth2/authorize",
            "tokenEndpointURI" : "https://localhost:9444/oauth2/token",
            "userInfoURI" : "https://localhost:9444/oauth2/userinfo",
            "jwksURI" : "https://localhost:9444/oauth2/jwks",
            "logoutEndpointURI" : "https://localhost:9444/oidc/logout",
            "authHttpMethod": "POST",
            "clientConfiguration" : {
              "clientId" : "BB5qBB8mr54JJJJI5T56uH8Gvfkk",
              "clientSecret" : "hiAk_Y_vVbbbrDP_6sJJchJgKlwca",
              "responseType" : "code",
              "authorizationType" : "authorization_code",
              "scope" : "phone email address openid profile",
              "redirectURI" : "https://wso2.am:9443/publisher/jagg/jaggery_oidc_acs.jag",
              "postLogoutRedirectURI" : "https://wso2.am:9443/publisher/"
            }
          },

      Make sure to replace the following placeholders with the actual values.

      • <client-id> and the <client-secret> - Replace these with the credentials that you got when creating the API_PUBLISHER service provider.

      • <IS<IdP-hostname> - Replace this with the hostname of the WSO2 Identity Server.

      • <IdP-port> - Replace this with the WSO2 IS port
      • <APIM-hostname> - Replace this with the hostname of the WSO2 API Manager Server.
      • <APIM-port> - Replace this with the WSO2 APIM port

Step 7 - Import the public certificate of the Identity Provider

...

  1. Navigate to the <IS_HOME>/repository/resources/security directory.

    Code Block
    cd <IS_HOME>/repository/resources/security
  2. Export the public certificate to a .pem file.

    Localtab Group
    Localtab
    activetrue
    idformat
    titleFormat
    Code Block
    keytool -export -alias wso2carbon -keystore wso2carbon.jks -file publickey.pem

    Enter the password as wso2carbon when requested. This is the default password for keystores.

    Localtab
    idexportoutput
    titleOutput
    Code Block
    Certificate stored in file <publickey.pem>
    Warning:
    The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore wso2carbon.jks -destkeystore wso2carbon.jks -deststoretype pkcs12".
  3. Copy the <IS_HOME>/repository/resources/security/publickey.pem file to the  <API-M_HOME>/repository/resources/security directory.
  4. Navigate to the <API-M_HOME>/repository/resources/security directory.

    Code Block
    cd <API-M_HOME>/repository/resources/security
  5. Import the .pem file in to the client trust store (client-truststore.jks).

    Localtab Group
    Localtab
    activetrue
    idimportformat
    titleFormatSample Command
    Code Block
    keytool -import -alias wso2is -file publickey.pem -keystore client-truststore.jks -storepass wso2carbon
    Localtab
    idimportoutput
    titleOutput

    Type yes when the question that you see in the second line is printed.

    Code Block
    Certificate already exists in keystore under alias <wso2carbon>
    Do you still want to add it? [no]:  yes
    Certificate was added to keystore
  6. Check the details of the imported certificate that corresponds to the Identity Provider.

    Code Block
    keytool -list -alias wso2is -keystore client-truststore.jks -v

...