Configuring Single Sign-on with OpenID Connect

OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections.

OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 (OAuth2) protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, discovery of OpenID Providers, and session management, when it makes sense for them.

Configuring SSO with OpenID Connect

Follow the instructions below to configure Single Sign-on (SSO) using OpenID Connect in WSO2 API Manager (WSO2 API-M) using WSO2 Identity Server (WSO2 IS):

Step 1 - Download WSO2 IS

Download WSO2 Identity Server 5.6.0.

For testing purposes if you want to run both the WSO2 API-M and WSO2 IS server on the same server, then you can go to the <IS_HOME>/repository/conf/carbon.xml file and offset the port by 1 as follows:
<Offset>1</Offset>

Step 2 - Download WSO2 API-M

Download WSO2 API Manager 2.5.0.

For testing purposes if you want to run both the WSO2 API-M and WSO2 IS server on the same server, then you can change the hostname in WSO2 API-M.

Click here for more information on changing the hostname in WSO2 API-M.

Follow the instructions below to change the hostname in WSO2 API-M:

Navigate to the <API-M_HOME>/repository/conf/carbon.xml file.
Change the hostname and the management hostname based on your choice.
For example:
```
<HostName>wso2.am</HostName>
<MgtHostName>wso2.am</MgtHostName>
```
Open the /etc/hosts file.
```
vim /etc/hosts
```
Add the new hostname in the /etc/hosts file.

Step 3 - Configure the user database

Configure a database of your choice with SSL support. This example uses a MySQL database.

Click here to configure a MySQL DB.

Follow the instructions below to configure your user DB if you are using MySQL. For more information, see Installing and Configuring the Databases.

Download and install MySQL Server 5.7.
For more information on DB compatibility, see Tested DBMSs.
Download the MySQL JDBC driver.
Unzip the downloaded MySQL driver archive, and copy the MySQL JDBC driver JAR (mysql-connector-java-x.x.xx-bin.jar) into the <API-M_HOME>/repository/components/lib directory and in to the <IS_HOME>/repository/components/lib directory.
Access the database.
Enter the following command in a command prompt, where <username> is the username.
Error rendering macro 'code': Invalid value specified for parameter 'firstline'
```
mysql -u<username> -p
```
Error rendering macro 'code': Invalid value specified for parameter 'firstline'
```
mysql -uroot -p
```
When prompted, specify the password that corresponds to the username that you specified to access the database.
Create the databases using the following commands, where <API-M_HOME> is the path to the WSO2 API Manager instance that you installed, and the username and password are the same credentials that you specified in the previous steps.
```
mysql> create database userdb;
mysql> use userdb;
mysql> source <API-M_HOME>/dbscripts/mysql5.7.sql;
```

Step 4 - Configure the user stores

Follow the instructions below to share the user stores between WSO2 API-M and WSO2 IS.

Navigate to the master-datasources.xml file in the following directories.
- WSO2 IS - <IS_HOME>/repository/conf/datasources
- WSO2 API-M - <API-M_HOME>/repository/conf/datasources
Add the WSO2UM_DB related datasource configurations in order to share the user stores between WSO2 API-M and WSO2 IS.

By default, WSO2 API-M uses a JDBC user store, while WSO2 IS uses a LDAP user store. This example uses a JDBC user store and MySQL DB.
Update the user-mgt.xml file in the <IS_HOME>/repository/conf directory and the <API-M_HOME>/repository/conf directory. Update the default configurations with the following property configurations.
```
<configuration> 
...
	<Property name="dataSource">jdbc/WSO2UM_DB</Property>
</configuration>
```

Configure the user store manager properties.
In this example, as you are using JDBC as the user store, you need to update the <IS_HOME>/repository/conf/user-mgt.xml file as follows:

Comment out the default LDAP user store details, which are defined in the <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager"> section.

Uncomment the following code block with regard to the to the JDBC user store.

        <UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
            <Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property>
            <Property name="ReadOnly">false</Property>
            <Property name="ReadGroups">true</Property>
            <Property name="WriteGroups">true</Property>
            <Property name="UsernameJavaRegEx">^[\S]{3,30}$</Property>
            <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
            <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
            <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
            <Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
            <Property name="RolenameJavaRegEx">^[\S]{3,30}$</Property>
            <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name="CaseInsensitiveUsername">false</Property>
            <Property name="SCIMEnabled">false</Property>
            <Property name="IsBulkImportSupported">false</Property>
            <Property name="PasswordDigest">SHA-256</Property>
            <Property name="StoreSaltedPassword">true</Property>
            <Property name="MultiAttributeSeparator">,</Property>
            <Property name="MaxUserNameListLength">100</Property>
            <Property name="MaxRoleNameListLength">100</Property>
            <Property name="UserRolesCacheEnabled">true</Property>
            <Property name="UserNameUniqueAcrossTenants">false</Property>
        </UserStoreManager>

You could alternatively use the embedded LDAP in the WSO2 Identity Server as your user store. For more information, see Configuring the Primary User Store in the Administration Guide.

Step 5 - Configure the Identity Provider

Configure an Identity Provider of your choice. In this example we use WSO2 IS as the Identity Provider (IdP).

Follow the instructions below to configure WSO2 IS as the IdP:

Start WSO2 Identity Server.
- On Windows: <IS_HOME>/bin/wso2server.bat --run
- On Linux/Mac OS: sh <IS_HOME>/bin/wso2server.sh
Create a service provider (SP) for the Store. For more detailed information, see Adding and Configuring a Service Provider in the WSO2 Identity Server 5.6.0 documentation.
1. Create a service provider (SP) as API_STORE with a inbound OAuth/oidc callback URL as https://<APIM-hostname>:9443/store/jagg/jaggery_oidc_acs.jag and enable the authorization-code grant type, by checking the Code checkbox that corresponds to Allowed Grant Types.
  <APIM-hostname> - Replace this with the hostname of the WSO2 API Manager Server.
2. Add claim mapping and set the http://wso2.org/claims/displayName as the local claim and make it a mandatory claim.
  Your configurations should look similar to the following after creating the service provider.
Create a service provider for the Publisher.
1. Create a service provider as API_PUBLISHER with a inbound OAuth/oidc callback URL as https://<APIM-hostname>:9443/publisher/jagg/jaggery_oidc_acs.jag and enable the authorization-code grant type.
  <APIM-hostname> - Replace this with the hostname of the WSO2 API Manager Server.
2. Add claim mapping and set the http://wso2.org/claims/displayName as the local claim and make it a mandatory claim.
  Your configurations should look similar to the following after creating the service provider.

Step 6 - Configure WSO2 API-M

Configure WSO2 API-M with the Identity Provider.

Follow the instructions below to configure WSO2 API-M with WSO2 IS, which is the Identity Provider in this example.

Configure the API Store. For more detailed information, see Adding and Configuring a Service Provider in the WSO2 Identity Server 5.7.0 documentation.
1. Navigate to the <API-M_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json file.
2. Edit the oidcConfiguration section to point to the IdP that you configured in step 5.
Configure the API Publisher.
1. Navigate to the <API-M_HOME>/repository/deployment/server/jaggeryapps/publisher/site/conf/site.jsonfile.
2. Edit the oidcConfiguration section to point to the IdP that you configured in step 5.

Step 7 - Import the public certificate of the Identity Provider

Import the public certificate of the Identity Provider (IdP), which corresponds to the WSO2 Identity Server, into the client-trustore.jks of WSO2 API-M.

Navigate to the <IS_HOME>/repository/resources/security directory.
```
cd <IS_HOME>/repository/resources/security
```
Export the public certificate to a .pem file.
Copy the <IS_HOME>/repository/resources/security/publickey.pem file to the <API-M_HOME>/repository/resources/security directory.
Navigate to the <API-M_HOME>/repository/resources/security directory.
```
cd <API-M_HOME>/repository/resources/security
```
Import the .pem file in to the client trust store (client-truststore.jks).
Check the details of the imported certificate that corresponds to the Identity Provider.
```
keytool -list -alias wso2is -keystore client-truststore.jks -v
```

Step 8 - Start WSO2 API Manager

Start WSO2 API-M based on your OS.

On Windows: <API-M_HOME>/bin/wso2server.bat --run
On Linux/Mac OS: sh <API-M_HOME>/bin/wso2server.sh

Using SSO in API Manager with OpenID Connect

Follow the instructions below to use OpenID Connect based SSO with the API Store and the API Publisher.
Let's consider a scenario where you first log in to the Publisher and then log in to the Store.

Configure OpenID Connect for SSO.
For more information, see Configuring SSO with OpenID Connect.
Access the API Publisher.
https://<APIM-hostname>:<APIM-port>/publisher/
In this example, access the Publisher as follows:
https://wso2.am:9443/publisher/
Provide your username and password and click SIGN IN.
Enter your username as the display name and click SIGN IN.
Check Select All to select the mandatory user claims related to API_PUBLISHER and also check one of the approve options (Approve Once or Approve Always) based on your preference.
If you select Approve Once, you will have to approve OpenID user claim related data each time that you sign in to the Publisher.
Click Continue.
You are now logged in to the Publisher interface.
Access the Store.
https://<APIM-hostname>:<APIM-port>/store/
In this example, access the Store as follows:
https://wso2.am:9443/store/
Click Sign In.
Check Select All to select the mandatory user claims related to API_STORE and also check one of the approve options (Approve Once or Approve Always) based on your preference.
If you select Approve Once, you will have to approve OpenID user claim related data each time that you sign in to the Store.
Click Continue.
You are directly logged in to the Store without needing to add any user credentials.