This document is work in progress and is only visible to those at WSO2.
This document covers the steps on how an external Identity Server is used to authenticate users that log in to WSO2 IoT Server using the OpenID Connect protocol. To make it easy for you to try out the scenario, the IdentiyServerV4 that is hosted on http://demo.identityserver.io
is used. You can follow the same steps to configure another Identity server.
Let's get started! Follow the steps given below:
Installing OpenID Authenticator Feature in IoT Server
To add the OpenID Connected authenticator to WSO2 IoT Server, you need to install the org.wso2.carbon.identity.application.authenticator.oidc.server.feature
.
Follow the steps given below to install the OpenID Connect application authenticator using the Maven execution script.
- Create a file named
openid-extension-deployer.xml
in the<IOTS_HOME>
directory. Copy the configurations given below to the
openid-extension-deployer.xml
file you created.Navigate to the
<IOTS_HOME>
directory via the terminal.cd <IOTS_HOME>
Execute the Maven script to install the
org.wso2.carbon.identity.application.authenticator.oidc.server.feature
.mvn clean install -f openid-extension-deployer.xml
Configuring the WSO2 IoT Server IdP
You need to add the federated OpenID Connect authentication configurations to the WSO2 IoT Server's default Identity Provider (IdP) configurations. Follow the steps given below:
- Open the
<IOTS_HOME>/conf/identity/identity-providers/iot_default.xml
file. Add the following configurations before the
<FederatedAuthenticatorConfigs>
tag.<IsEnabled>true</IsEnabled>
Add the following configurations inside the
<FederatedAuthenticatorConfigs
tag.The IdentiyServerV4's hosted demo server is available at
http://demo.identityserver.io
. If you are using your own external Identity Server, make sure to replacehttp://demo.identityserver.io
with the URL of your hosted Identity Server.<OpenIDConnectFederatedAuthenticatorConfig> <Name>OpenIDConnectAuthenticator</Name> <DisplayName>openidconnect</DisplayName> <IsEnabled>true</IsEnabled> <Properties> <Property> <Name>ClientId</Name> <Value>server.code</Value> </Property> <Property> <Name>ClientSecret</Name> <Value>secret</Value> </Property> <Property> <Name>OAuth2AuthzEPUrl</Name> <Value>http://demo.identityserver.io/connect/authorize</Value> </Property> <Property> <Name>OAuth2TokenEPUrl</Name> <Value>http://demo.identityserver.io/connect/token</Value> </Property> <Property> <Name>callbackUrl</Name> <Value>https://localhost:9443/commonauth</Value> </Property> <Property> <Name>IsUserIdInClaims</Name> <Value>false</Value> </Property> <Property> <Name>commonAuthQueryParams</Name> <Value>scope=openid</Value> </Property> </Properties> </OpenIDConnectFederatedAuthenticatorConfig>
Add
OpenIDConnectAuthenticator
as the value for the<DefaultAuthenticatorConfig>
tag.
Example:<DefaultAuthenticatorConfig>OpenIDConnectAuthenticator</DefaultAuthenticatorConfig>
Add the following configurations inside the
<ClaimConfig>
tag to return the values from the role list because the demo server does not return any values.<ClaimMappings> <ClaimMapping> <RemoteClaim> <ClaimUri>idp</ClaimUri> </RemoteClaim> <LocalClaim> <ClaimUri>http://wso2.org/claims/role</ClaimUri> </LocalClaim> <DefaultValue /> </ClaimMapping> </ClaimMappings>
Add the following configurations inside the
<PermissionAndRoleConfig>
tag. The new users that get created on the fly via JIT provisioning is assigned theInternal/devicemgt-admin
role by default.This allows you to map a remote role name into a local role name. In the example given below, the role that is taken by the
idp
claim you created above is mapped to theInternal/devicemgt-admin
role of WSO2 IoT Server. You can use this feature to map intuitive remote roles, such as mapping theAdministrator
into theInternal/devicemgt-admin
role.<RoleMappings> <RoleMapping> <localRole> <LocalRoleName>Internal/devicemgt-admin</LocalRoleName> <UserStoreId>PRIMARY</UserStoreId> </localRole> <remoteRole>local</remoteRole> </RoleMapping> </RoleMappings>
Add the following configurations inside the
<JustInTimeProvisioningConfig>
tag to enable Just-in-Time (JIT) provisioning.<IsProvisioningEnabled>true</IsProvisioningEnabled>
What is JIT provisioning?
With JIT provisioning, you can create users on the fly the first time they try to log in to WSO2 IoT Server.
Configuring the Service Providers
<IOTS_HOME>/conf/identity/service-providers
directory.- Open the
<IOTS_HOME>/conf/identity/service-providers/devicemgt.xml
file. Add the following configurations after the
<StepOrder>1</StepOrder>
property.<LocalAuthenticatorConfigs> <LocalAuthenticatorConfig> <Name>BasicAuthenticator</Name> <DisplayName>basicauth</DisplayName> <IsEnabled>true</IsEnabled> </LocalAuthenticatorConfig> </LocalAuthenticatorConfigs>
Extend the Log-In page for OpenID Connect
You need to extend the device management console's log in page so that it supports both the basic authentication, which is logging in using the username and password, and the OpenID connect authentication options.
Follow the steps given below:
- Create a new folder named
company.page.sign-in
in the<IOTS_HOME>/
repository/deployment/server/jaggeryapps/devicemgt/app/pages
directory. Create a new file named
sign-in.hbs
in thecompany.page.sign-in
directory you just created and copy the configrations given below to the file.- Create a new file named
sign-in.json
in the<IOTS_HOME>/
repository/deployment/server/jaggeryapps/devicemgt/app/pages/company.page.sign-in
directory. Copy the configurations given below to the
sign-in.json
file you created.Create a directory named public inside the
company.page.sign-in
directory.Create a directory named images inside the
company.page.sign-in/public
directory.Download the http://demo.identityserver.io/icon.png file and renamed the downloaded file to
openid.png
.Cop the
openid.png
file to thecompany.page.sign-in/public/images
directory.
Try it out
Follow the steps given below:
Start the WSO2 IoT Server's core profile.
cd <IOTS_HOME>/bin ./iot-server.sh
Access the device management console:
https://<IOTS_HOST>:<IOTS_HTTPS_PORT>/devicemgt
- By default,
<IOTS_HOST>
islocalhost.
However, if you are using a public IP, the respective IP address or domain needs to be specified. - By default,
<IOTS_HTTPS_PORT>
has been set to 9443. However, if the port offset has been incremented byn
, the default port value needs to be incremented byn
.
- By default,
- Click Sign in with OpenID Connect.
You are redirected to the OpenID connect log in page. - Enter bob as the username and bob as the password, and click Log In. This is the default username and password for the IdentityServerV4 demo site.
Once the authentication is successful, you are redirected into the device management console.
When starting off the user bob did not exist in WSO2 IoT Server. Because you configured JIT provisioning for the IdP, a new user named bob is created under users in the WSO2 IoT Server management console.
Follow the steps given below to check it out:
- Access the IoT Server managemnet console.
- On the Main tab in the Management Console, click List under Users and Roles.
- Click Users . This link is only visible to users with the Admin role.
- Click Update Profile next to bob.
- In the screen that appears, check the Role assigned to bob.
TheInternal/devicemgt-admin
role is assigned because you configured WSO2 IoT Server to assign this role to all the JIT provisioned users when in step 6 when c onfiguring the WSO2 IoT Server IdP.
Congratulations! You have successfully configured setting up federated IdP with OpenID Connect for WSO2 IoT Server.