Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated the IS version and the links

...

Note

Before you begin, make sure you have the following:

  • A valid user account in the API Store.
  • A valid consumer key and consumer secret. Initially, these keys must be generated in the API Store by clicking the Generate Keys button on the Production Keys tab of the application.
  • A running API Gateway instance. 
  • If the Key Manager is on a different server than the API Gateway, change the server URL (host and ports) of the Key Manager accordingly in the <ServerURL> element of the <APIKeyManager> section in the <API-M_HOME>/repository/conf/ api-manager.xml file.
  • A valid SAML2 assertion. For instructions on how to configure WSO2 API Manager with SAML2, see Configuring API Manager for SSO

In this example, WSO2 Identity Server 5.35.0  is used as the IdP to get a SAML token and the API Manager is used as the OAuth server.

  1. Sign in to the API Manager's management console (https://localhost:9443/carbon) using admin/admin credentials. 

    Note

    If you are using a tenant to create the Identity Provider, use the credentials of tenant admin to log into the API Manager's Management Console.

  2. Click Main > Identity Providers > Add.
  3. Provide the following values to configure the IdP:
    • Under Basic Information 
      • Identity Provider Name: Enter a unique name for the IdP.

      • Identity Provider Public Certificate: The certificate used to sign the SAML assertion. Export the public certificate of WSO2 IS and import it here. 

        Alternatively, you can create a self-signed certificate and then export it as a .cer file using the following commands: 

        Code Block
        keytool -genkey -alias wookie -keyalg RSA -keystore wookieKeystore.jks -keysize 4096
keytool -v -export -file keystore1.cer -keystore wookiekeystore.jks -alias wookie
      • Alias: Give the name of the alias if the Identity Provider identifies this token endpoint by an alias. E.g., https://localhost:9443/oauth2/token.

    • Under Federated Authenticators > SAML2 Web SSO Configuration

      • Enable SAML2 Web SSO: true

      • Identity Provider Entity Id: The SAML2 issuer name specified when generating the assertion token, which contains the unique identifier of the IdP. You give this name when configuring the SP.

      • Service Provider Entity Id: Issuer name given when configuring the SP.

      • SSO URL: Enter the IDP's SAML2 Web SSO URL value. E.g., https://localhost:9444/samlsso/ if you have offset the default port, which is 9443.

        Note

        If you are in tenant mode, append the tenant domain to the SSO URL as a query parameter as below.

        https://localhost:9443/samlsso?tenantDomain=<tenantDomain>

    Next, let's  register a service provider.
  4. Sign in to the management console of the Identity Server and click Main > Service Providers > Add.
  5. Choose to edit the service provider that you just registered and click Inbound Authentication Configuration > SAML2 Web SSO Configuration.
  6. Provide the following values to configure the SP and click Update:

    Let's see how to get a signed SAML2 token (encoded assertion value) when authenticating against a SAML2 IDP. With the authentication request, you pass attributes such as the SAML2 issuer name, token endpoint and the restricted audience. In this guide, we use a command-line client program developed by WSO2 to create the 64-bit, URL-encoded SAML assertion. 

...

  1. Combine the consumer key and consumer secret keys as consumer-key:consumer-secret. Encode the combined string using base64 (http://base64encode.org). Here's an example consumer key and secret combination: wU62DjlyDBnq87GlBwplfqvmAbAa:ksdSdoefDDP7wpaElfqvmjDue.

    Let's create a SAML2 assertion using the same command-line client that you used in the previous section.
  2. Download the command-line too from here and extract the ZIP file.

  3. Go to the extracted folder using the command line and execute the following command. We assume that both the client and the API Gateway run on the same server. Therefore, the Token API URL is https://localhost:8243/token.

    Localtabgroup


    Localtab
    activetrue
    idformat
    titleFormat


    Code Block
    titleFormat
    java -jar SAML2AssertionCreator.jar <Identity_Provider_Entity_Id> <saml-subject> <saml-recipient> <saml-audience> <Identity_Provider_JKS_file> <Identity_Provider_JKS_password> <Identity_Provider_certificate_alias> <Identity_Provider_private_key_password>



    Localtab
    idexample
    titleExample


    Code Block
    titleExample
    java -jar SAML2AssertionCreator.jar localhost admin https://localhost:9443/oauth2/token https://localhost:9443/oauth2/token /home/user/wso2am-2.1.0/repository/resources/security/wso2carbon.jks wso2carbon wso2carbon wso2carbon



    The arguments are as follows:

      • <Identity_Provider_Entity_Id> - This is the value of the saml:Issuer, which is a unique identifier of the identity provider.

      • <saml-subject> - This is the value of the name ID, which is found in the saml:Subject -> saml:NameId

      • <saml-recipient> - This is the value of the subject confirmation data recipient, which is found in the saml:Subject -> saml:SubjectConfirmation -> saml:SubjectConfirmationData.Recipient

      • <saml-audience> - This is the value that is added to the saml:AudienceRestriction element of the token. This argument can take multiple values separated by commas. Each value is added as a saml:Audience element within saml:AudienceRestriction.

      • <Identity_Provider_JKS_file> - Pointer to the Java Key Store (JKS) file to be used for credentials.

      • <Identity_Provider_JKS_password> - The JKS password.
      • <Identity_Provider_certificate_alias> - The alias of the public certificate.
      • <Identity_Provider_private_key_password> - The password of the private key that is used for signing.

    This command returns a SAML2 assertion XML string and a base64-URL encoded assertion XML string. 
    You now have a SAML2 assertion.

  4. Access the Token API using a REST client such as curl. For example, the following cURL command generates an access token and a refresh token. You can use the refresh token at the time a token is renewed

    Code Block
    curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<base64-URL_encoded_assertion>&scope=PRODUCTION" -H "Authorization: Basic <base64_encoded_consumer-key:consumer_secret>" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token
    Note

    Note that for users to be counted in the Registered Users for Application statistics which takes the number of users shared each of the Application, they should have to generate access tokens using Password Grant type.