WSO2 SSO Setup with Azure Active Directory

In this article, we are going to see how to implement Single Sign-On (SSO) for WSO2 API Manager using Azure AD as a Federated Identity Provider.

In order to enable SSO with AD we need to register a new application in Azure portal.

Registering an Application in Azure:

· Login to Azure portal and then navigate to “Azure Active Directory” > “Enterprise applications” and click on “New Application” button and select the “Non-Gallery Application” and enter name of your application then click on “Add” button.

· Now you can find newly created application in the list of applications. Click on this application and select “Set up Single Sign-On with SAML” to configure SSO.

· To edit the basic SAML configuration options, select the Edit icon in the upper-right corner of the Basic SAML Configuration section and provide the below properties.

Identifier (Entity ID): wso2is1

Reply URL (Assertion Consumer Service URL): https://localhost:9444/commonauth

Sign on URL: https://localhost:9444/samlsso

WSO2 SSO Setup- Authorization and Authentication

Step 1: Sharing databases between Key Manager and API Manager:

· Configure APIM_DB and SHARED_DB data sources in deployment.toml of Key Manager.

[database.apim_db]

type = “mysql”

url = “jdbc:mysql://localhost:3306/wso2am_db”

username = “username”

password = “password”

[database.shared_db]

type = “mysql”

url = “jdbc:mysql://localhost:3306/wso2_shared_db”

username = “ username “

password = “password”

· Apply the above configurations in Publisher and Developer Portal as well.

Step 2: Configure Publisher and DevPortal with Key Manager:

· Apply following configuration in both deployment.toml of Publisher and Developer Portal for pointing Key Manager.

[apim.key_manager]

service_url = “https://localhost:9444/services/"

username = “admin”

password = “admin”

Step 3: Enable the email username for both Identity Server and the API Manager:

· Add below configurations in deployment.toml file of Publisher, Developer Portal and Key Manager

[tenant_mgt]

enable_email_domain= true

[super_admin]

username = “admin@wso2.com”

password = “admin”

create_admin_account = true

Step 4: Configuring the Federated Authenticator for Azure AD

· Login as the admin user to the Key Manager console by accessing the URL https://localhost:9444/carbon

· In the left menu select “Add” under “Identity Providers” and provide a unique name for your Identity provider.

· Expand the federated authenticators section and select the “SAML2 Web SSO Configuration” option and provide the following properties which corresponds to the application you created on Azure.

Service Provider Entity Id: wso2is.590

Name ID format: urn: oasis:names:tc:SAML:1.1:nameid-format:unspecified

Identity Provider Entity Id: https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/

SSO URL: https://login.microsoftonline.com/ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2

Logout URL: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

Note: You need to register with Azure Active Directory Account to get this Entity ID, SSO URL and Logout URL values.

Step 5: Claim Mappings and User Provisioning for Azure AD Federated Authenticator

· Expand the “Claim Configuration” and “Basic Claim Configuration” tabs then select “Define Custom Claim Dialect” and add below mentioned claims.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstName : http://wso2.org/claims/givenname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/memberOf : http://wso2.org/claims/role

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: http://wso2.org/claims/emailaddress

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname : http://wso2.org/claims/lastname

· Select User ID Claim URI and Role Claim URI as “name” and “memberOf” respectively.

· Expand the “Role Configuration” tab under the Identity provider configuration and provide the role mappings like below.

WSO2ProdAdmin: admin

WSO2ProdPublisher: INTERNAL/publisher

WSO2ProdSubscriber: INTERNAL/subscriber

WSO2ProdCreator: INTERNAL/creator

Step 6: Configuring the Publisher and Store apps to use the Azure AD federated login

· Login as the admin user to the Key Manager console by accessing the URL https://localhost:9444/carbon

· Navigate to Service Providers list and click on “Edit” button corresponding to “admin_admin_store”

· Expand “Inbound Authentication” tab and then expand “SAML2 Web SSO Configuration” goto “configuration” link and provide below properties.

Issuer: admin_admin_store

Assertion Consumer URLs: https://localhost:9443/devportal/jagg/jaggery_acs.jag

Select “Enable Single Logout”

· Expand the “Local & Outbound Authentication Configuration” and select the option “Federated Authentication”.

· In the drop-down list in front of the Federated Authentication option, select the Azure AD Federated authenticator which we created earlier.

· Follow the same steps for the Publisher’s Service provider as well.

Workflow of SSO with Azure AD

· A user clicks on the Publisher or Store Portals of the API Manager.

· The login request will be forwarded to the WSO2 Identity Server which acts as our main Identity Management interface.

· The WSO2 Identity Server will then send the SAML request over to the external SAML IDP which is Microsoft Azure.

· On validation of the SAML request, it will then prompt the user to login with his/her Azure AD (Active Directory) credentials.

· On successful authentication of the Azure AD user, it will then send back the SAML response to the Identity Server.

· Identity Server will then provision the user into our internal JDBC user-store used by the WSO2 products as the user database.

· If the authenticated user has the required privileges of access, then they will successfully SSO into the store/publisher applications.