Versions Compared

Old Version 21

changes.mady.by.user Former user

Saved on

compared with

New Version 22

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Changed the diagram and its description

SAML 2.0 is an XML-based protocol. It uses security tokens containing assertions to pass information about an end-user between a SAML authority and a SAML consumer. A SAML authority is an identity provider (IDP) and a SAML consumer is a service provider (SP).

Enterprise applications that have SAML2 based SSO infrastructures sometimes need to consume OAuth-protected resources through APIs. However, these apps prefer to use the existing trust relationship with the IDP, even if the OAuth authorization server is entirely different from the IDP. The API Cloud leverages this trust relationship by exchanging the SAML2.0 token to an OAuth token with the authorization server. It acts as the OAuth authorization server. 

The diagram below depicts this scenario. It uses WSO2 Identity Server as an example for the IDP - the same mechanism would work with any other SAML2 Identity Provider.Image Removed  :

Image Added  
The steps of the above diagram are explained below:

...

  • The enterprise application (SP) wants to access an OAuth2 protected API resource through WSO2 API Cloud.
  • The application makes a request to the API Cloud to exchange the SAML2 bearer token for an OAuth2.0 access token.

Step [4]: The API Cloud validates the assertion and returns the access token.


Step [5]The API Cloud returns OAuth2 access token to the application.

Step [46]: User does API invocations through the API Cloud by setting it as an Authorization header with the returned OAuth2 access token.

Step [7]: Backend receives the API call together with JWT token with user information.

Let's configure the token exchange.

Configuring the token exchange

Note

Before you begin, make sure you have the following:

  • A valid user account in the API Store.
  • An Identity Provider which is capable of issuing SAML tokens.
  • A valid consumer key and consumer secret. Initially, these keys must be generated through the API Store by clicking the Generate link on My Subscriptions page.


To configure the Identity Provider:

  1. On the Configure menu, click External Users:
  2. In the Connect External Users to API Cloud screen, click the API Consumer Authentication tab, and then select the Connect your IdP (SAML Grant) option:
  3. Provide the following values: 

  • Identity Provider Public Certificate: The certificate used to sign the SAML assertion. Export the public certificate of WSO2 IS and import it here.  

  • Identity Provider Entity Id: The SAML2 issuer name specified when generating the assertion token, which contains the unique identifier of the IDP.
  • SSO URL: Enter the IDP's SAML2 Web SSO URL value. E.g., https://localhost:9444/samlsso/ if you have offset the default port, which is 9443.

...