Try WSO2 Cloud for Free
Sign in

All docs This doc

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.



In this tutorial, you learn how to configure an External Identity Provider for API Cloud authentication.

  1. Log in to WSO2 API Cloud. Click Support in the top menu bar, and submit a support request. To configure an external identity provider, you need to provide the name of your preferred identity provider.
  2. The WSO2 team will contact you and get the required information and configure your IDP in the Identity cloud.


    The users in your user store can have different roles. You may want to restrict the access to the API Cloud apps for the users in your user store. In such cases, you can send a roles attribute with the IDP authentication response and we will map it with the cloud related roles. This capability depends on your IDP.

    When the role information is not present in the response (ex- Google OpenID-Connect), Identity cloud maps the authenticated user to organization’s default internal role. We can assign subscribe/create/publish/admin permissions to this role. All the authenticated users will have the same role and the same set of permissions. Permissions should be determined based on your organizational needs.


    WSO2 supports only the email address as the user ID. Therefore, your IDP Will have to send the email address in the response.

  3. Configure custom URLs for SSO login


    API Cloud applications identify secondary user-store configured organizations based on a specific custom header. When the header is available in the request, the application executes the secondary user-store based authentication flow. If the header unavailable, the default authentication flow is executed. This custom header is sent through custom URL configurations. Let’s say we have configured a load balancer to send the custom header with Then, which does not have a custom header will be executed with the default authentication flow. But, which includes a custom header secondary user store based authentication flow.

    For details on how to configure a custom URL for API Cloud Store, see Customize Cloud URLs.

    titleConfiguring a custom URL for API Publisher and Admin Apps

    To configure custom URLs for API Cloud Publisher and Admin apps you have to submit a support request as described in step 2 (This will be supported through a UI in the future).

    Provide the following information to configure custom URLs :

    • Custom Domain

    • SSL Certificates
    • SSL Key and Chain Files

    You can always use the default cloud URLs and login to your cloud account for administrative tasks.

  4. WSO2 will inform you once the configurations are completed. You will be able to create, publish, subscribe and invoke APIs after completion.


    Token API: You will not be able to use Password Grant to generate access tokens because your credentials are unavailable in our user store.