Configuring Single Sign-on with SAML 2.0

Single sign-on (SSO) allows users, who are authenticated against one application, gain access to multiple other related applications as well without having to repeatedly authenticate themselves. It also allows the Web applications gain access to a set of back-end services with the logged-in user's access rights, and the back-end services can authorize the user based on different claims like user role.

WSO2 API Manager includes Single Sign-On with SAML 2.0 feature, which is implemented according to the SAML 2.0 Web browser-based SSO support that is facilitated by WSO2 Identity Server (IS). This feature is available in any IS version from 4.1.0 onwards. We use IS 5.0.0 in this guide. WSO2 Identity Server acts as an identity service provider of systems enabled with single sign-on, while the Web applications such as API Manager apps act as SSO service providers. Using this feature, you can configure SSO across the two API Manager Web applications, which are API Publisher and API Store as well as other Web applications in your organization. After configuring, you will be able to access API Store or API Publisher in a single authentication attempt.

The topics below explain the configurations: 

Sharing the user store

Before moving to configuration, point both WSO2 IS and WSO2 API Manager to a single user store using the instructions given in section Configuring User Stores. For example, take a common JDBC user store for both IS and API Manager:

1. Open <AM_HOME>/repository/conf/datasources/master-datasources.xml file and add the datasource configuration for the relevant database. For example,

   <datasource>
        <name>WSO2_UM_DB</name>
        <description>The datasource used for registry and user manager</description>
        <jndiConfig>
                 <name>jdbc/WSO2UMDB</name>
        </jndiConfig>
        <definition type="RDBMS">
                 <configuration>
                     <url>jdbc:mysql://localhost:3306/410_um_db</url>
                     <username>username</username>
                     <password>password</password>
                     <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                     <maxActive>50</maxActive>
                     <maxWait>60000</maxWait>
                     <testOnBorrow>true</testOnBorrow>
                     <validationQuery>SELECT 1</validationQuery>
                     <validationInterval>30000</validationInterval>
                 </configuration>
          </definition>
   </datasource>

2. Create the database schema by running the script that is relevant to your database in the <AM_HOME>/dbscripts directory.

3. Add the same datasource configuration above to <IS_HOME>/repository/conf/datasources/master-datasources.xml file.

   Place the database driver JAR file in <IS_HOME>/repository/components/lib and <AM_HOME>/repository/components/lib directories.

4. Open <AM_HOME>/repository/conf/user-mgt.xml file and change its dataSource element to the jndiConfig name given above (i.e., jdbc/WSO2UMDB).

   <Property name="dataSource">jdbc/WSO2UMDB</Property>

5. Insert the same configuration above in <IS_HOME>/repository/conf/user-mgt.xml file.
6. The Identity Server has an embedded LDAP user store by default. Follow the instructions in Internal JDBC User Store Configuration to disable the default LDAP and enable JDBC User Store instead.

Sharing the registry space

Let's share a common registry space between the IS and APIM. This can be done by creating a registry database and mounting it on both the IS and APIM.

1. Create a database by the name WSO2REG_DB. In this example, we use MySQL.
2. Run the script that is relevant to your database type from the scripts in the <IS_HOME>/dbscripts folder. For example, <IS_HOME>/dbscripts/mysql.sql.

3. Add the following datasource configuration to both the <IS_HOME>/repository/conf/datasources/master-datasources.xml and <AM_HOME>/repository/conf/datasources/master-datasources.xml files.

   <datasource>
       <name>WSO2REG_DB</name>
       <description>The datasource used for registry</description>
       <jndiConfig>
           <name>jdbc/WSO2REG_DB</name>
       </jndiConfig>
       <definition type="RDBMS">
           <configuration>
               <url>jdbc:mysql://localhost:3306/registry?autoReconnect=true&amp;relaxAutoCommit=true&amp;</url>
               <username>apiuser</username>
               <password>apimanager</password>
               <driverClassName>com.mysql.jdbc.Driver</driverClassName>
               <maxActive>50</maxActive>
               <maxWait>60000</maxWait>
               <testOnBorrow>true</testOnBorrow>
               <validationQuery>SELECT 1</validationQuery>
               <validationInterval>30000</validationInterval>
           </configuration>
       </definition>
   </datasource> 

4. Copy the registry.xml file from the <AM_HOME>/repository/conf/ directory to the <IS_HOME>/repository/conf/ directory. Make sure you replace the existing registry.xml file found in the <IS_HOME>. This is because the <indexingConfiguration> element is not there in the registry.xml that comes in the IS.

5. Make the following changes to the <IS_HOME>/repository/conf/registry.xml file you copied in the above step.

   1. The handler used to evaluate the XACML media type is not there in the registry.xml file you copied. Therefore, you must add the handler shown in the following code block.

       <handler class="org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyHandler">
              <filter class="org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyMediaTypeMatcher">
                  <property name="mediaType">application/xacml-policy+xml</property>
              </filter>
      </handler>

   2. Create the registry mounts by inserting the following sections into the registry.xml file.

      When doing this change, do not replace the existing <dbConfig> for "wso2registry". Simply add the following configuration to the existing configurations.

      <dbConfig name="govregistry">
              <dataSource>jdbc/WSO2REG_DB</dataSource>
      </dbConfig>
       
      <remoteInstance url="https://localhost">    
              <id>gov</id>
              <dbConfig>govregistry</dbConfig>
              <readOnly>false</readOnly>
              <enableCache>true</enableCache>
              <registryRoot>/</registryRoot>
      </remoteInstance>
       
      <mount path="/_system/governance" overwrite="true">
              <instanceId>gov</instanceId>
              <targetPath>/_system/governance</targetPath>
      </mount>
       
      <mount path="/_system/config" overwrite="true">
             <instanceId>gov</instanceId>
             <targetPath>/_system/config</targetPath>
      </mount>

   3. Repeat the step b above in the <AM_HOME>/repository/conf/registry.xml file as well.

6. Change the datasource in the identity.xml and user-mgt.xml file found in the <IS_HOME>/repository/conf/ directory to WSO2AM_DB and WSO2UM_DB respectively.

   identity.xml configurations

   <DataSource>
           <!-- Include a data source name (jndiConfigName) from the set of data sources defined in master-datasources.xml -->
           <Name>jdbc/WSO2AM_DB</Name>
   </DataSource>

   user-mgt.xml configurations

   <Realm>
           <Configuration>
               ...
               <Property name="dataSource">jdbc/WSO2UM_DB</Property>
           </Configuration>
           ...
   </Realm> 

Configuring WSO2 Identity Server as a SAML 2.0 SSO Identity Provider

1. Download WSO2 Identity Server. See IS documentation for instructions (https://docs.wso2.com/display/AM170/WSO2+API+Manager+Documentation/display/IS500/Getting+Started).  
2. Start the IS server and log in to its Management Console UI ( https://localhost:9443/carbon ).   
3. Select Add under Service Providers menu.
   
   

4. Give a service provider name and click Register.
   

   Tip: If you are working in a multi tenanted environment and you want all tenants to be able to log in to the APIM Web applications, you must click the SaaS Application option that appears after registering the service provider.
   
   If not, only users in the current tenant domain (the one you are defining the service provider in) will be allowed to log in to the Web application and you have to register new service providers for all Web applications (API Store and API Publisher in this case) from each tenant space separately. For example, let's say you have three tenants as TA, TB and TC and you register the service provider in TA only. If you tick the SaaS Application option, all users in TA, TB, TC tenant domains will be able to log in. Else, only users in TA will be able to log in.
   

5. You are navigated to the detailed configuration page. Expand SAML2 Web SSO Configuration inside the Inbound Authentication Configuration section.

6. Expand SAML2 Web SSO Configuration inside the Inbound Authentication Configuration section.

7. Provide the following configurations to register the API Manager Web applications as SSO service providers.
   

   In the following configurations, use the exact values that were used to configure the API Manager Web applications.

   To register API Publisher as an SSO service provider:

   • Issuer : API_PUBLISHER
   • Assertion Consumer URL: https://localhost:9443/publisher/jagg/jaggery_acs.jag. Change the IP and port accordingly. This is the URL for the acs page in your running publisher app.

   • Select the following options:

     • Use fully qualified username in the NameID  

     • Enable Response Signing

     • Enable Assertion Signing

     • Enable Single Logout

   • Click Register once done.

   To register API Store as an SSO service provider:

   • Issuer : API_STORE
   • Assertion Consumer URL: https://localhost:9443/store/jagg/jaggery_acs.jag. Change the IP and port accordingly. This is the URL for the acs page in your running store app.
   • Select the following options:
     
     • Use fully qualified username in the NameID  
     • Enable Response Signing  
     • Enable Assertion Signing  
     • Enable Single Logout   
   • Click Register once done.

For example:

Configuring WSO2 API Manager Apps as SAML 2.0 SSO Service Providers

1. Open <AM_Home>/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json and modify the following configurations found under ssoConfiguration.
   
   • keyStoreName: The keystore of the running IDP. As you use a remote instance of WSO2 IS here, you can import the public certificate of the IS keystore to the APIM and then point to the APIM keystore. The default keystore of the APIM is <APIM_HOME>/repository/resources/security/wso2carbon.jks. Be sure to give the full path of the keystore here.
   • keyStorePassword: Password for the above keystore.
   • identityAlias: wso2carbon.
     
     
   • enabled: Set this value to true to enable SSO in the application.
   • issuer: API_PUBLISHER. This value can change depending on the Issuer value defined in WSO2 IS SSO configuration above.
   • identityProviderURL: https://localhost:9444/samlsso. Change the IP and port accordingly. This is the redirecting SSO URL in your running WSO2 IS server instance.
2. Similarly, configure the API Store with SSO. The only difference in API Store SSO configurations is setting API_STORE as the issuer.
3. Access the API Publisher : https://localhost:<Port number>/publisher (e.g., https://localhost:9443/publisher). Observe the request redirect to the WSO2 IS SAML2.0 based SSO login page. For example,
4. Enter user credentials. If the user authentication is successful against WSO2 IS, it will redirect to the API Publisher Web application with the user already authenticated.
5. Access the API Store application, click its Login link (top, right-hand corner) and verify that the same user is already authenticated in API Store.