Single Sign-On (SSO) allows users, who are authenticated against one application, to gain access to multiple other related applications without having to repeatedly authenticate themselves. It also allows the web applications to gain access to a set of back-end backend services with the logged-in user's access rights, and the back-end . The backend services can authorize the user based on different claims like the user role. An Identity Provider (IDPIdP) is responsible for issuing identification information and authenticating users by using security tokens. WSO2 API Cloud uses WSO2 Identity Server as the default Identity provider (IDPIdP). An organization can have it’s own IDP IdP that provides authentication for internal users. In such scenarios, the organization can link their IDP IdP to WSO2 Identity Cloud to provide SSO based authentication for API Cloud apps.
The diagram below shows how an external IdP-based SSO is configured.
The user visits the API Cloud application.
A SAML authentication request is sent to the Identity Cloud.
Identity Cloud is configured to forward the authentication requests received for a particular organization to an external IdP.
The organization’s IdP prompts the login window and the user submits the credentials.
An authentication success response is sent back to the Identity Cloud.
Identity Cloud sends a SAML response to the corresponding API Cloud application. Before sending the response, Identity Cloud stores (provisions) the permission information of the authenticated user in an internal user store. The API Cloud applications refer to this user store for authorization.
In this tutorial, you learn how to configure an External Identity Provider external identity provider for API Cloud authentication.
- Log in to WSO2 API Cloud. Click Support in the top menu bar, and submit a support request. To configure an external identity provider, you need to provide the name of your preferred identity provider.
The WSO2 team will contact you and get the required information and configure your IDP in the Identity cloudConfigure > External Users.
In the API Cloud Web UI Access tab, select Connect Your Identity Provider and submit the identity provider details.
If your IdP is not listed in the drop-down menu, select Other.
The WSO2 team will contact you, get the required information, and configure your IdP in the Identity Cloud.
Users in your user store can have different roles. You may want to restrict access to the API Cloud applications for the users in your user store. In such cases, you can send a
rolesattribute with the IdP authentication response and this attribute will be mapped to the cloud-related roles. This capability depends on your IdP.
When the role information is not present in the response (e.g. Google OpenID-Connect), Identity Cloud maps the authenticated user to the organization’s default internal role. We can assign subscribe/create/publish/admin permissions to this role. All the authenticated users will have the same role and the same set of permissions. Permissions should be determined based on your organization's needs.
WSO2 supports only the email address as the user ID. Therefore, your IdP will have to send the email address in the response.
Configure custom URLs for SSO login.
API Cloud applications identify secondary user-store configured organizations organizations with an external IdP configured, based on a specific custom header. When the header is available in the request, the application executes the secondary userthe external IdP-store based authentication flow. If the header is unavailable, the default authentication flow is executed. This custom header is sent through custom URL configurations. Let’s say we have configured a load balancer to send the custom header with
api.cloud.wso2.com/publisherwhich , which does not have a custom header will be , is executed with the default authentication flow. ButHowever,
api.customdomain.organization.com/publisher, which includes a custom header secondary user store , is executed with the external IdP-based authentication flow.
For details on how to configure a custom URL for the API Cloud Store, see Customize Cloud URLs.
Info titleConfiguring a custom URL for API Publisher and Admin Apps Note
To configure custom URLs for the API Cloud Publisher and Admin apps, you have to submit a support request as described in step 2 (This this will be supported through a UI in the future).
Provide the following information to configure custom URLs:
- SSL Certificates
- SSL Key and Chain Files
You can always use the default cloud URLs and login log in to your cloud Cloud account for administrative tasks.
WSO2 will inform you once the configurations are completed. You will be able to create, publish, subscribe and invoke APIs after completion.