Configuring API Manager for SSO
You can configure APIM for SAML SSO following the instructions below.
Configuring the Carbon Console for SSO
Open the <API-M_HOME>/repository/conf/security/authenticators.xml
 file and give the configurations as shown below.
- SetÂ
disabled
 attributes inÂ<Authenticator>
 element toÂfalse
ServiceProviderID
 : The issuer name of the service provider.Â
IdentityProviderSSOServiceURL
 : The URL of the IDP. In this example, it is the URL of Identity Server.
A Service Provider (SP) is an entity that provides Web services. A service provider relies on a trusted Identity Provider (IdP) for authentication and authorization. In this case, the Identity Server acts as the IdP and does the task of authenticating and authorizing the user of the service provider.
<Authenticator name="SAML2SSOAuthenticator" disabled="false"> <Priority>10</Priority> <Config> <Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter> <Parameter name="ServiceProviderID">carbonserver1</Parameter> <Parameter name="IdentityProviderSSOServiceURL">https://localhost:9444/samlsso</Parameter> <Parameter name="NameIDPolicyFormat">urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</Parameter> </Config>
Make sure the <priority>
 of the SAML2SSOAuthenticator
 is less than that of the BasicAuthenticator
 handler. See here for more information.
If there are many WSO2 products in your environment, you can configure SSO for the management consoles of those products by changing the SAML2SSOAuthenticator
configuration in <PRODUCT_HOME>/repository/conf/security/authenticators.xml
file as shown above.
Configuring Publisher/Store for SSO
To configure SSO for the API Publisher, open the <API-M_HOME>/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json
 file and give the configurations as shown below.
"ssoConfiguration" : { "enabled" : "true", "issuer" : "API_PUBLISHER", "identityProviderURL" : "https://localhost:9444/samlsso", "keyStorePassword" : "", "identityAlias" : "wso2carbon", "responseSigningEnabled":"true", "assertionSigningEnabled":"true", "keyStoreName" :"", },
The identityAlias
 parameter is set to wso2carbon
 in the above example. You can configure an external server by importing the certificate of the IDP to APIM, and changing the identityAlias
 parameter value according to the certificate. To configure an IDP initiated SSO, you have to include the following additional parameters in the ssoConfigurationÂ
section.
... "idpInit" : "true", "idpInitSSOURL" : "https://localhost:9444/samlsso?spEntityID=API_PUBLISHER", "externalLogoutPage" : "https://localhost:9444/samlsso?slo=true" ...
To configure SSO for the API Store, open the <API-M_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json
 file and change the ssoConfiguration
 section similarly.
idpInitSSOURLÂ consist of <SAML2.IdPURL> and <SAML2.SPEntityId>
Properties | Description |
---|---|
SAML2.IdPURL= https://localhost:9443/samlsso | The URL of the SAML 2.0 Identity Provider |
SAML2.SPEntityId=API_PUBLISHER | A unique identifier for this SAML 2.0 Service Provider application |
The SAML2.SPEntityId should be the value of issuer you specify under ssoConfiguration in <API-M_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json which uniquely identifies your SAML identity provider. Therefore it differes in Store and Publisher according to the issuer that you configure
Configuring the API Store for SSO in passive mode
If the passive mode is disabled and single sign-on (SSO) is enabled, it redirects the user to the SSO login page. Therefore, as the WSO2 API Store allows anonymous access, passive mode is enabled by default, so that irrespective of whether SSO is enabled or not it directs the user to the API Store URL, and enables the SSO work flow only when the Sign In button is clicked.
To disable the passive mode, set the property named passive
 to false in the <API-M_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json
 file.
"ssoConfiguration" : { ... "passive" : "false", ... },
By enabling passive mode in SSO Configuration, WSO2 API Manager enables Passive Authentication on Single Sign On.
From the two fundamental authetication models which are active and passive, active authentication is based on WS-Trust protocol on which a relying party is resposible of issuing the security token associated with the user credentials. But in passive authentication which is based on SAML 2.0 and WS-Federation protocols, the relying party does not control the login logic and relies on the IdP to issue the credentials.
You can configure a SAML 2.0 SSO Identity Provider with WSO2 API Manager. For instructions on how to configure WSO2 Identity Server as the IDP,  see Configuring Identity Server as IDP for SSO.