Single sign-on (SSO) allows users, who are authenticated against one application, gain access to multiple other related applications without having to repeatedly authenticate themselves. It also allows the web applications to gain access to a set of back-end services with the logged-in user's access rights, and the back-end services can authorize the user based on different claims like user role.
Configuring API Manager
You can configure APIM for SAML SSO following the instructions below.
| Table of Contents | ||||
|---|---|---|---|---|
|
Configuring the Carbon Console for SSO
Open the <API-M_HOME>/repository/conf/security/authenticators.xml file and give the configurations as shown below.
- Set
disabledattributes in<Authenticator>element tofalse ServiceProviderID: The issuer name of the service provider.IdentityProviderSSOServiceURL: The URL of the IDP. In this example, it is the URL of Identity Server.
| Code Block |
|---|
<Authenticator name="SAML2SSOAuthenticator" disabled="false">
<Priority>10</Priority>
<Config>
<Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter>
<Parameter name="ServiceProviderID">carbonserver1</Parameter>
<Parameter name="IdentityProviderSSOServiceURL">https://localhost:9444/samlsso</Parameter>
<Parameter name="NameIDPolicyFormat">urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</Parameter>
</Config> |
Make sure the <priority> of the SAML2SSOAuthenticator is less than that of the BasicAuthenticator handler. See here for more information.
| Info |
|---|
If there are many WSO2 products in your environment, you can configure SSO for the management consoles of those products by changing the |
Configuring Publisher/Store for SSO
To configure SSO for the API Publisher, open the <API-M_HOME>/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json file and give the configurations as shown below.
| Code Block |
|---|
"ssoConfiguration" : {
"enabled" : "true",
"issuer" : "API_PUBLISHER",
"identityProviderURL" : "https://localhost:9444/samlsso",
"keyStorePassword" : "",
"identityAlias" : "wso2carbon",
"responseSigningEnabled":"true",
"assertionSigningEnabled":"true",
"keyStoreName" :"",
}, |
The identityAlias parameter is set to wso2carbon in the above example. You can configure an external server by importing the certificate of the IDP to APIM, and changing the identityAlias parameter value according to the certificate. To configure an IDP initiated SSO, you have to include the following additional parameters in the ssoConfiguration section.
| Code Block |
|---|
...
"idpInit" : "true",
"idpInitSSOURL" : "https://localhost:9444/samlsso?spEntityID=API_PUBLISHER",
"externalLogoutPage" : "https://localhost:9444/samlsso?slo=true"
... |
To configure SSO for the API Store, open the <API-M_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json file and change the ssoConfiguration section similarly.
Configuring the API Store for SSO in passive mode
If the passive mode is disabled and single sign-on (SSO) is enabled, it redirects the user to the SSO login page. Therefore, as the WSO2 API Store allows anonymous access, passive mode is enabled by default, so that irrespective of whether SSO is enabled or not it directs the user to the API Store URL, and enables the SSO work flow only when the Sign In button is clicked.
To disable the passive mode, set the property named passive to false in the <API-M_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json file.
| Code Block |
|---|
"ssoConfiguration" : {
...
"passive" : "true",
...
}, |