This documentation is for WSO2 IoT Server 3.2.0. View the documentation for the latest release.
Page Comparison - Setting Up A Federated IdP with OpenID Connect (v.10 vs v.11) - IoT Server 3.2.0 - WSO2 Documentation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This document covers the steps on how an external Identity Server is used to authenticate users that log in to  to WSO2 IoT Server using the OpenID Connect protocol. To make it easy for you explain to try out the scenario, the IdentiyServerV4 that is hosted on http://demo.identityserver.io is used. You can follow the same steps to configure another Identity server.

...

You need to add the federated OpenID Connect authentication configurations to the WSO2 IoT Server's default Identity Provider (IdP) configurations. Follow the steps given below:

  1. Open the <IOTS_HOME>/conf/identity/identity-providers/iot_default.xml file.
  2. Add the following configurations before the <FederatedAuthenticatorConfigs> tag.

    Code Block
    <IsEnabled>true</IsEnabled>
  3. Add the folowing following configurations inside the <FederatedAuthenticatorConfigs tag.

    Info

    The IdentiyServerV4's hosted demo server is available at http://demo.identityserver.io. If you are using your own external Identity Server, makse make sure to replace http://demo.identityserver.io with the URL of your hosted Identity Server.

    Code Block
    <OpenIDConnectFederatedAuthenticatorConfig>
       <Name>OpenIDConnectAuthenticator</Name>
       <DisplayName>openidconnect</DisplayName>
       <IsEnabled>true</IsEnabled>
       <Properties>
          <Property>
             <Name>ClientId</Name>
             <Value>server.code</Value>
          </Property>
          <Property>
             <Name>ClientSecret</Name>
             <Value>secret</Value>
          </Property>
          <Property>
             <Name>OAuth2AuthzEPUrl</Name>
             <Value>http://demo.identityserver.io/connect/authorize</Value>
          </Property>
          <Property>
             <Name>OAuth2TokenEPUrl</Name>
             <Value>http://demo.identityserver.io/connect/token</Value>
          </Property>
          <Property>
             <Name>callbackUrl</Name>
             <Value>https://localhost:9443/commonauth</Value>
          </Property>
          <Property>
             <Name>IsUserIdInClaims</Name>
             <Value>false</Value>
          </Property>
          <Property>
             <Name>commonAuthQueryParams</Name>
             <Value>scope=openid</Value>
          </Property>
       </Properties>
    </OpenIDConnectFederatedAuthenticatorConfig>
  4. Add OpenIDConnectAuthenticator as the value for the <DefaultAuthenticatorConfig> tag.
    Example:

    Code Block
    <DefaultAuthenticatorConfig>OpenIDConnectAuthenticator</DefaultAuthenticatorConfig>
  5. Add the following configurations inside the <ClaimConfig> tag to send the role details to WSO2 IoT Serverreturn the values from the role list because the demo server does not return any values.

    Code Block
    <ClaimMappings>
       <ClaimMapping>
          <RemoteClaim>
             <ClaimUri>idp</ClaimUri>
          </RemoteClaim>
          <LocalClaim>
             <ClaimUri>http://wso2.org/claims/role</ClaimUri>
          </LocalClaim>
          <DefaultValue />
       </ClaimMapping>
    </ClaimMappings>
  6. Anchor
    JIT-Role
    JIT-Role
    Add the following configurations inside the <PermissionAndRoleConfig> tag. The new users that get created on the fly via JIT provisioning is assigned the Internal/devicemgt-admin role by default.

    Info

    This allows you to map a remote role name into a local role name. In the example given below, the role that is taken by the idp claim you created above is mapped to the Internal/devicemgt-admin role of WSO2 IoT Server. You can use this feature to map intuitive remote roles, such as mapping the Administrator into the Internal/devicemgt-admin role.

    Code Block
    <RoleMappings>
       <RoleMapping>
          <localRole>
             <LocalRoleName>Internal/devicemgt-admin</LocalRoleName>
             <UserStoreId>PRIMARY</UserStoreId>
          </localRole>
          <remoteRole>local</remoteRole>
       </RoleMapping>
    </RoleMappings>
  7. Add the following configurations inside the <JustInTimeProvisioningConfig> tag to enable Just-in-Time (JIT) provisionins provisioning.

    Code Block
    <IsProvisioningEnabled>true</IsProvisioningEnabled>
    Info
    titleWhat is JIT provisioning?

    With JIT provisioning, you can create users on the fly the first time they try to log in to WSO2 IoT Server.

Configuring the Service Providers

The jaggery Jaggery applications in WSO2 IoT Server, such as the device management, app store, and app publisher consoles, are configured as service providers to enable Single Sign-On (SSO) and authenitication authentication. For more information, on accessing the differenct different consoles available in WSO2 IoT Server, see Accessing the WSO2 IoT Server Consoles.
You need to configure the serivce service providers to have both the basic authentication mechanisam mechanism that authenticates the user based on the username and password that was entered and to have the OpenID Connect authentication mechanisam mechanism.
For this use case, only the devicemgt service provider is configured. If you want to configure the other applications, you need to add the same configurations that are given below to the other service providers in the <IOTS_HOME>/conf/identity/service-providers directory.
  1. Open the  <IOTS_HOME>/conf/identity/service-providers/devicemgt.xml file.
  2. Add the following configurations after the <StepOrder>1</StepOrder> property.

    Code Block
    <LocalAuthenticatorConfigs>
       <LocalAuthenticatorConfig>
          <Name>BasicAuthenticator</Name>
          <DisplayName>basicauth</DisplayName>
          <IsEnabled>true</IsEnabled>
       </LocalAuthenticatorConfig>
    </LocalAuthenticatorConfigs>

Extend the Log-In page for OpenID Connect

You need to extend the device management console's log in page so that it supports both the basic authentication, which is logging in using the username and password, and the OpenID connect authentication options.

...

  1. Create a new folder named company.page.sign-in in the <IOTS_HOME>/ repository/deployment/server/jaggeryapps/devicemgt/app/pages directory.
  2. Create a new file named sign-in.hbs in the company.page.sign-in directory you just created and copy the configrations given below to the file.

    Panel
    Expand
    titleClick here to expand and copy the configurations.
    Code Block
    {
     {
      !
      Copyright(c) 2017, WSO2 Inc.(http: //www.wso2.org) All Rights Reserved.
    
       WSO2 Inc.licenses this file to you under the Apache License,
       Version 2.0(the "License"); you may not use this file except in compliance with the License.You may obtain a copy of the License at
    
       http: //www.apache.org/licenses/LICENSE-2.0
    
       Unless required by applicable law or agreed to in writing,
       software distributed under the License is distributed on an "AS IS"
       BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.See the License
       for the specific language governing permissions and limitations under the License.
      }
     } {
      {#
       zone "title"
      }
     } {
      {
       !to override parent page title
      }
     } {
      {
       /zone}} {
        {
         unit "cdmf.unit.ui.title"
         pageTitle = "Login"
        }
       }
    
       {
        {#
         zone "content"
        }
       } < div class = "row" >
        < div class = "col-xs-12 col-sm-6 col-md-6 col-lg-4 col-sm-offset-3 col-md-offset-3 col-lg-offset-4" >
    
        < p class = "page-sub-title" > Login < /p> < hr / > {
         {#
          if message
         }
        } < div class = "alert alert-danger"
       style = "padding-right: 15px;" >
        < i class = "icon fw fw-warning" > < /i> {{message}}! < /div> {
         {
          /if}}
    
          < div class = "panel-body" >
           < form id = "signInForm"
          method = "POST"
          action = "{{loginActionUrl}}" >
           < div class = "form-group" >
           < label
          for = "username" > Username * < /label> < input type = "text"
          name = "username"
          class = "form-control"
          placeholder = "Enter your username"
          autofocus = "autofocus"
          required = "required" / >
           < /div> < div class = "form-group" >
           < label
          for = "password" > Password * < /label> < input type = "password"
          name = "password"
          class = "form-control"
          autocomplete = "off"
          placeholder = "Enter your password"
          required = "required" / >
           < /div> {
            {#
             if sessionDataKey
            }
           } < input type = "hidden"
          name = "sessionDataKey"
          value = "{{sessionDataKey}}" / > {
            {
             /if}} {
              {#
               if referer
              }
             } < input type = "hidden"
             name = "referer"
             value = "{{referer}}" / > {
               {
                /if}} < div class = "wr-input-control wr-btn-grp" >
                 < button class = "wr-btn btn-download-agent" >
                 Log in
                 < /button> < div id = "register-link-wrapper"
                style = "float: right; padding-top: 10px;" >
                 < a href = "{{@app.context}}/register"
                class = "pull-right create-account" > Create an account < /a> < /div> < /div> < /form> < h4 > Other login options: < /h4> < a onclick = "javascript: handleNoDomain('wso2.org%2Fproducts%2Fiot', 'OpenIDConnectAuthenticator')"
                href = "#"
                id = "icon-2" >
                 < img class = "idp-image"
                src = "{{@page.publicUri}}/images/openid.png"
                data - toggle = "tooltip"
                data - placement = "top"
                title = "OpenID Connect" / > Sign in with OpenID Connect < /a> < /div> < /div> < /div> {
                  {
                   /zone}} {
                    {
                     ~#zone "bottomJs"
                    }
                   } < script type = "text/javascript" >
                    function handleNoDomain(key, value) {
                     document.location = "../commonauth?idp=" + key + "&authenticator=" + value +
                      "&sessionDataKey={{sessionDataKey}}";
                    } < /script> {
                     {
                      /zone}}
  3. Create a new file named sign-in.json in the <IOTS_HOME>/repository/deployment/server/jaggeryapps/devicemgt/app/pages/company.page.sign-in directory.
  4. Copy the configurations given below to the sign-in.json file you created.

    Panel
    Expand
    titleClick here to expand and copy the configurations.
    Code Block
    titlesign-in.json
    {
     "version": "1.0.0",
     "layout": "uuf.layout.sign-in",
     "uri": "/login",
     "extends": "cdmf.page.sign-in",
     "isAnonymous": true
    }
  5. Create a directory named public inside the company.page.sign-in directory.

  6. Create a directory named images inside the company.page.sign-in/public directory.

  7. Download the http://demo.identityserver.io/icon.png file and copy it renamed the downloaded file to openid.png.

  8. Cop the openid.png file to the company.page.sign-in/public/images directory.

Now you have configured WSO2 IoT Server successfully. Let's try it out and see.

...

  1. Start the WSO2 IoT Server's core profile.

    Code Block
    cd <IOTS_HOME>/bin
    ./iot-server.sh
  2. Access the device management console: https://<IOTS_HOST>:<IOTS_HTTPS_PORT>/devicemgt

    Info
    • By default, <IOTS_HOST> is localhost. However, if you are using a public IP, the respective IP address or domain needs to be specified.
    • By default, <IOTS_HTTPS_PORT> has been set to 9443. However, if the port offset has been incremented by n, the default port value needs to be incremented by n.
  3. Click Sign in with OpenID Connect.
    <Insert Screenshot> Image Added
    You are redirected to the OpenID connect log in page.
  4. Enter bob as the username and bob as the password, and click Log In. This is the default username and password for the IdentityServerV4 demo site.
    Once the authentication is successful, you are redirected into the device management console. 
Note

The When starting off the user bob did not exist in WSO2 IoT Server. Because you configured JIT provisioning for the IdP, you see that tha a new user named bob is created under users in the WSO2 IoT Server management console.
Follow the steps given below to check it out:

  1. Access the IoT Server managemnet console.
  2. On the Main tab in the Management Console, click List under Users and Roles.
  3. Click  Users . This link is only visible to users with the Admin role.
  4. Click  Update Profile  next to bob.
  5. In the screen that appears, check the Role assigned to bob.
    The Internal/devicemgt-admin role is assigned because you configured WSO2 IoT Server to assign this role to all the JIT provisioned users when in step 6 when c onfiguring the WSO2 IoT Server IdP.

Congratulations! You have successfully configured setting up dederated federated IdP with OpenID Connect for WSO2 IoT Server.