This documentation is for WSO2 IoT Server 3.2.0. View the documentation for the latest release.
Page Comparison - Setting Up A Federated IdP with OpenID Connect (v.11 vs v.12) - IoT Server 3.2.0 - WSO2 Documentation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You need to add the federated OpenID Connect authentication configurations to the WSO2 IoT Server's default Identity Provider (IdP) configurations. Follow the steps given below:

  1. Open the <IOTS_HOME>/conf/identity/identity-providers/iot_default.xml file.
  2. Add the following configurations before the <FederatedAuthenticatorConfigs> tag.

    Code Block
    <IsEnabled>true</IsEnabled>
  3. Add the following configurations inside the <FederatedAuthenticatorConfigs tag.

    Info

    The IdentiyServerV4's hosted demo server is available at http://demo.identityserver.io. If you are using your own external Identity Server, make sure to replace http://demo.identityserver.io with the URL of your hosted Identity Server.

    Code Block
    <OpenIDConnectFederatedAuthenticatorConfig>
       <Name>OpenIDConnectAuthenticator</Name>
       <DisplayName>openidconnect</DisplayName>
       <IsEnabled>true</IsEnabled>
       <Properties>
          <Property>
             <Name>ClientId</Name>
             <Value>server.code</Value>
          </Property>
          <Property>
             <Name>ClientSecret</Name>
             <Value>secret</Value>
          </Property>
          <Property>
             <Name>OAuth2AuthzEPUrl</Name>
             <Value>http://demo.identityserver.io/connect/authorize</Value>
          </Property>
          <Property>
             <Name>OAuth2TokenEPUrl</Name>
             <Value>http://demo.identityserver.io/connect/token</Value>
          </Property>
          <Property>
             <Name>callbackUrl</Name>
             <Value>https://localhost:9443/commonauth</Value>
          </Property>
          <Property>
             <Name>IsUserIdInClaims</Name>
             <Value>false</Value>
          </Property>
          <Property>
             <Name>commonAuthQueryParams</Name>
             <Value>scope=openid</Value>
          </Property>
       </Properties>
    </OpenIDConnectFederatedAuthenticatorConfig>
  4. Add OpenIDConnectAuthenticator as the value for the <DefaultAuthenticatorConfig> tag.
    Example:

    Code Block
    <DefaultAuthenticatorConfig>OpenIDConnectAuthenticator</DefaultAuthenticatorConfig>
  5. Add the following configurations inside the <ClaimConfig> tag to return the values from the role list because the demo server does not return any values.

    Code Block
    <ClaimMappings>
       <ClaimMapping>
          <RemoteClaim>
             <ClaimUri>idp</ClaimUri>
          </RemoteClaim>
          <LocalClaim>
             <ClaimUri>http://wso2.org/claims/role</ClaimUri>
          </LocalClaim>
          <DefaultValue />
       </ClaimMapping>
    </ClaimMappings>
  6. Anchor
    JIT-Role
    JIT-Role
    Add the following configurations inside the <PermissionAndRoleConfig> tag. The new users that get created on the fly via JIT provisioning is assigned the Internal/devicemgt-admin role by default.

    Info

    This allows you to map a remote role name into a local role name. In the example given below, the role that is taken by the idp claim you created above is mapped to the Internal/devicemgt-admin role of WSO2 IoT Server. You can use this feature to map intuitive remote roles, such as mapping the Administrator into the Internal/devicemgt-admin role.

    Code Block
    <RoleMappings>
       <RoleMapping>
          <localRole>
             <LocalRoleName>Internal/devicemgt-admin</LocalRoleName>
             <UserStoreId>PRIMARY</UserStoreId>
          </localRole>
          <remoteRole>local</remoteRole>
       </RoleMapping>
    </RoleMappings>
  7. Add the following configurations inside the <JustInTimeProvisioningConfig> tag to enable Just-in-Time (JIT) provisioning.

    Code Block
    <IsProvisioningEnabled>true</IsProvisioningEnabled>
    Info
    titleWhat is JIT provisioning?

    With JIT provisioning, you can create users on the fly the first time they try to log in to WSO2 IoT Server.

Configuring the Service Providers

The Jaggery applications in WSO2 IoT Server, such as the device management, app store, and app publisher consoles, are configured as service providers to enable Single Sign-On (SSO) and authentication. For more information, on accessing the different consoles available in WSO2 IoT Server, see Accessing the WSO2 IoT Server Consoles.
You need to configure the service providers to have both the basic authentication mechanism that authenticates the user based on the username and password that was entered and to have the OpenID Connect authentication mechanism.
For this use case, only the devicemgt service provider is configured. If you want to configure the other applications, you need to add the same configurations that are given below to the other service providers in the <IOTS_HOME>/conf/identity/service-providers directory.
  1. Open the  <IOTS_HOME>/conf/identity/service-providers/devicemgt.xml file.
  2. Add the following configurations after the <StepOrder>1</StepOrder> property.

    Code Block
    <LocalAuthenticatorConfigs>
       <LocalAuthenticatorConfig>
          <Name>BasicAuthenticator</Name>
          <DisplayName>basicauth</DisplayName>
          <IsEnabled>true</IsEnabled>
       </LocalAuthenticatorConfig>
    </LocalAuthenticatorConfigs>

Extend the Log-In page for OpenID Connect

...