Configuring with an External Identity Server

App Manager comes in a fully distributed setup with the following nodes; Publisher, Store, Gateway and the IdP. One of the main aspects of the Gateway is to provide security for web applications by securing with SAML2 SSO, via XACML authorization and via enterprise subscription. While you can use App Manager itself to act as the IdP, it is recommended to setup an external WSO2 Identity Server instance instead.

Follow the steps below to configure an external WSO2 Identity Server as the IdP for App Manager authentication.

This guide assumes that WSO2 Identity Server runs with port offset 1. Therefore, the ${IS_SERVER_HOST} = localhost and the ${IS_SERVER_PORT} = 9444.

Change the following config elements in the <APPM_HOME>/repository/conf/app-manager.xml file.
1. Change the ServerURL, Username and Password elements in the <AuthManager> section to point to the Identity Server URL and credentials.
```
<ServerURL>https://<IS_SERVER_HOST>:{IS_SERVER_PORT}/services/</ServerURL>
<ServerURL>https://localhost:9444/services/</ServerURL>
```
2. Change the providerURL element in the <SSOConfiguration> section as shown below:
```
<IdentityProviderUrl>https://localhost:9444/samlsso</IdentityProviderUrl>
<providerURL>https://localhost:9444</providerURL>
```
3. Change the ServerURL element in the <EntitlementServiceConfiguration> section as shown below:
```
<ServerUrl>https://localhost:9444</ServerUrl> 
```

Change the identityProviderURL config in the <AppM_HOME>/repository/deployment/server/jaggeryapps/store/config/store.json file as shown below:

"ssoConfiguration": {
       "enabled": true,
       "issuer": "store",
       "identityProviderURL": "https://localhost:9444/samlsso",
       "keyStorePassword": "wso2carbon",
       "identityAlias": "wso2carbon",
       "responseSigningEnabled": "true",
       "storeAcs" : "%https.host%/store/acs",
       "keyStoreName": "/repository/resources/security/wso2carbon.jks"
   },

Change the identityProviderURL element in the <AppM_HOME>/repository/deployment/server/jaggeryapps/publisher/config/publisher.json file as shown below:

"ssoConfiguration": {
       "enabled": true,
       "issuer": "publisher",
       "identityProviderURL": "https://localhost:9444/samlsso",
       "keyStorePassword": "wso2carbon",
       "identityAlias": "wso2carbon",
       "responseSigningEnabled": "true",
       "publisherAcs": "%https.host%/publisher/sso",
       "keyStoreName": "/repository/resources/security/wso2carbon.jks"
   },

Start both the AppM and IS servers.
Login to the WSO2 IS Management Console.
Click Add under Main > Service Providers.
Give a name for the service provider and click Register.
You are navigated to the detailed configuration page. Expand SAML2 Web SSO Configuration inside the Inbound Authentication Configuration section and click Configure.
Provide the configurations to register the App Store as the SSO service provider. These sample values may change depending on your configuration.
- Issuer: Store
- Assertion Consumer URL: https://localhost:9443/store/acs (i.e https://{AppMHost}:{AppMPort}/store/acs). This is the URL for the acs page for your running store app.
- Select the following options:
  - Enable Response Signing
  - Enable Single Logout
- Click Register once done.
For example:
Similarly, provide configurations to register the App Publisher and social apps as SSO service providers. These sample values may change depending in your configuration.
- Issuer: Publisher
- Assertion Consumer URL: https://localhost:9443/publisher/acs (i.e https://{AppMHost}:{AppMPort}/publisher/acs). This is the URL for the acs page for your running publisher app.
- Select the following options:
  - Enable Response Signing
  - Enable Single Logout
- Click Register once done.
- Issuer: Social
- Assertion Consumer URL: https://localhost:9443/social/acs (i.e https://{AppMHost}:{AppMPort}/social/acs). This is the URL for the acs page for your running social apps.
- Select the following options:
  - Enable Response Signing
  - Enable Single Logout
- Click Register once done.