Versions Compared

Old Version 18

changes.mady.by.user Former user

Saved on

compared with

New Version 19

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: we can get rid of the tenant domain. See https://support.wso2.com/jira/browse/CLOUDPROD-482

SAML 2.0 is an XML-based protocol. It uses security tokens containing assertions to pass information about an end-user between a SAML authority and a SAML consumer. A SAML authority is an identity provider (IDP) and a SAML consumer is a service provider (SP).

Enterprise applications that have SAML2 based SSO infrastructures sometimes need to consume OAuth-protected resources through APIs. However, these apps prefer to use the existing trust relationship with the IDP, even if the OAuth authorization server is entirely different from the IDP. The API Cloud leverages this trust relationship by exchanging the SAML2.0 token to an OAuth token with the authorization server. It acts as the OAuth authorization server. 

...

Let's configure the token exchange.

Configuring the token exchange

Note

Before you begin, make sure you have the following:

  • A valid user account in the API Store.
  • An Identity Provider which is capable of issuing SAML tokens.
  • A valid consumer key and consumer secret. Initially, these keys must be generated through the API Store by clicking the Generate link on My Subscriptions page.


To configure the Identity Provider, contact WSO2 API Cloud Support via a support request or chat.

Image Modified

Provide the following values: 

  • Identity Provider Public Certificate: The certificate used to sign the SAML assertion. Export the public certificate of WSO2 IS and import it here.  

  • Alias: Give the name of the alias if the Identity Provider identifies this token endpoint by an alias. E.g., https://keymanager.api.cloud.wso2.com/oauth2/token.

  • Identity Provider Entity Id: The SAML2 issuer name specified when generating the assertion token, which contains the unique identifier of the IDP.

  • SSO URL: Enter the IDP's SAML2 Web SSO URL value. E.g., https://localhost:9444/samlsso/ if you have offset the default port, which is 9443.

...

  1. Combine the consumer key and consumer secret keys as consumer-key:consumer-secret. Encode the combined string using base64 ( http://base64encode.org). Here's an example consumer key and secret combination: wU62DjlyDBnq87GlBwplfqvmAbAa:ksdSdoefDDP7wpaElfqvmjDue.
  2. Access the token API using a REST client such as the WSO2 REST Client or Curl. The parameters are explained below:

    • Assuming that both the client and the API Gateway run on the same server, the Token API URL is https://gateway.api.cloud.wso2.com:8243

    • payload - "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<SAML2_Encoded_Assertion_Token> &scope=PRODUCTION". Replace the <SAML2_Encoded_Assertion_Token> value as appropriate.

    • headers - Authorization :Basic <base64 encoded consumer-key:consumer-secret>, Content-Type: application/x-www-form-urlencoded. Replace the <base64 encoded consumer-key:consumer-secret> as appropriate.

    For example, the following Curl command is used to access the Token API. It generates an access token and a refresh token. You can use the refresh token at the time a token is renewed

    Code Block
    curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<Assertion_provided_by_client>&scope=PRODUCTION" -H "Authorization: Basic <Base64 encoded consumer key:consumer secret>, Content-Type: application/x-www-form-urlencoded" https://gateway.api.cloud.wso2.com:8243/token?tenantDomain=<your_tenant_domain>