Setting Up A Federated IdP with OpenID Connect
This document covers the steps on how an external Identity Server is used to authenticate users that log in to WSO2 IoT Server using the OpenID Connect protocol. To make it easy for you to try out the scenario, the IdentityServer4 that is hosted on http://demo.identityserver.io
 is used. You can follow the same steps to configure another Identity server.
Let's get started!Â
Installing OpenID Authenticator Feature in IoT Server
To add the OpenID Connected authenticator to WSO2 IoT Server, you need to install org.wso2.carbon.identity.application.authenticator.oidc.server.feature
.
Follow the steps given below to install the OpenID Connect application authenticator using the Maven execution script.
- Create a file namedÂ
openid-extension-deployer.xml
in the<IOTS_HOME>
directory. Copy the configurations given below to the
openid-extension-deployer.xml
 file you created.Navigate to the
<IOTS_HOME>
 directory via the terminal.cd <IOTS_HOME>
Execute the Maven script to install theÂ
org.wso2.carbon.identity.application.authenticator.oidc.server.feature
.mvn clean install -f openid-extension-deployer.xml
Configuring the WSO2 IoT Server IdP
You need to add the federated OpenID Connect authentication configurations to the WSO2 IoT Server's default Identity Provider (IdP) configurations. Follow the steps given below:
- Open the
<IOTS_HOME>/conf/identity/identity-providers/iot_default.xml
file. Add the following configuration before the
<FederatedAuthenticatorConfigs>
tag.<IsEnabled>true</IsEnabled>
Add the following configurations inside theÂ
<FederatedAuthenticatorConfigs>
 tag.The IdentiyServer4's hosted demo server is available at
http://demo.identityserver.io
. If you are using your own external Identity Server, make sure to replacehttp://demo.identityserver.io
with the URL of your hosted Identity Server.<OpenIDConnectFederatedAuthenticatorConfig> <Name>OpenIDConnectAuthenticator</Name> <DisplayName>openidconnect</DisplayName> <IsEnabled>true</IsEnabled> <Properties> <Property> <Name>ClientId</Name> <Value>server.code</Value> </Property> <Property> <Name>ClientSecret</Name> <Value>secret</Value> </Property> <Property> <Name>OAuth2AuthzEPUrl</Name> <Value>http://demo.identityserver.io/connect/authorize</Value> </Property> <Property> <Name>OAuth2TokenEPUrl</Name> <Value>http://demo.identityserver.io/connect/token</Value> </Property> <Property> <Name>callbackUrl</Name> <Value>https://localhost:9443/commonauth</Value> </Property> <Property> <Name>IsUserIdInClaims</Name> <Value>false</Value> </Property> <Property> <Name>commonAuthQueryParams</Name> <Value>scope=openid</Value> </Property> </Properties> </OpenIDConnectFederatedAuthenticatorConfig>
AddÂ
OpenIDConnectAuthenticator
as the value for the<DefaultAuthenticatorConfig>
tag.
Example:<DefaultAuthenticatorConfig>OpenIDConnectAuthenticator</DefaultAuthenticatorConfig>
Note!
Make sure that the above configuration is in one line as shown above. If it is broken into new lines as shown below, you run into errors.
Incorrect format<DefaultAuthenticatorConfig> OpenIDConnectAuthenticator </DefaultAuthenticatorConfig>
Add the following configurations inside the
<ClaimConfig>
 tag to get the role of the user that is signing in because the demo server does not return any values.<ClaimMappings> <ClaimMapping> <RemoteClaim> <ClaimUri>idp</ClaimUri> </RemoteClaim> <LocalClaim> <ClaimUri>http://wso2.org/claims/role</ClaimUri> </LocalClaim> <DefaultValue/> </ClaimMapping> </ClaimMappings>
Add the following configurations inside the
<PermissionAndRoleConfig>
tag. The new users that get created on the fly via Just In Time (JIT) provisioning is assigned theInternal/devicemgt-admin
role by default.This allows you to map a remote role name, which is as a role that is not defined in WSO2 IoT Server, into a local role name, which is a role that is defined in WSO2 IoT Server. In the example given below, the role that is passed from IdentityServer4 to the
idp
claim is mapped to theInternal/devicemgt-admin
role of WSO2 IoT Server. You can use this feature to map remote roles, such as mapping theAdministrator
into theInternal/devicemgt-admin
role.<RoleMappings> <RoleMapping> <localRole> <LocalRoleName>Internal/devicemgt-admin</LocalRoleName> <UserStoreId>PRIMARY</UserStoreId> </localRole> <remoteRole>local</remoteRole> </RoleMapping> </RoleMappings>
Add the following configurations inside the
<JustInTimeProvisioningConfig>
tag to enable JITÂ provisioning.<IsProvisioningEnabled>true</IsProvisioningEnabled>
What is JIT provisioning?
With JIT provisioning, you can create users on the fly the first time they try to log in to WSO2 IoT Server.
Configuring the Service Providers
<IOTS_HOME>/conf/identity/service-providers
directory.- Open theÂ
<IOTS_HOME>/conf/identity/service-providers/devicemgt.xml
 file. Add the following configurations after the
<StepOrder>1</StepOrder>
 property.<LocalAuthenticatorConfigs> <LocalAuthenticatorConfig> <Name>BasicAuthenticator</Name> <DisplayName>basicauth</DisplayName> <IsEnabled>true</IsEnabled> </LocalAuthenticatorConfig> </LocalAuthenticatorConfigs> <FederatedIdentityProviders> <IdentityProvider> <IdentityProviderName>wso2.org/products/iot</IdentityProviderName> <IsEnabled>true</IsEnabled> <DefaultAuthenticatorConfig> <FederatedAuthenticatorConfig> <Name>FacebookAuthenticator</Name> <IsEnabled>true</IsEnabled> </FederatedAuthenticatorConfig> </DefaultAuthenticatorConfig> </IdentityProvider> </FederatedIdentityProviders>
Extend the log-in page for OpenID Connect
You need to extend the device management console's log in page so that it supports both the basic authentication, which is logging in using the username and password, and the OpenID connect authentication options.
Follow the steps given below:
- Create a new folder named
company.page.sign-in
in the<IOTS_HOME>/
repository/deployment/server/jaggeryapps/devicemgt/app/pages
directory. Create a new file namedÂ
sign-in.hbs
in theÂcompany.page.sign-in
directory you just created and copy the configurations given below to the file.- Create a new file namedÂ
sign-in.json
in theÂ<IOTS_HOME>/
repository/deployment/server/jaggeryapps/devicemgt/app/pages/company.page.sign-in
 directory. Copy the configurations given below to theÂ
sign-in.json
file you created.Create a directory named
public
inside theÂcompany.page.sign-in
 directory.Create a directory named
images
inside theÂcompany.page.sign-in/public
 directory.Download the http://demo.identityserver.io/icon.png file and rename the downloaded file toÂ
openid.png
.Copy theÂ
openid.png
 file to theÂcompany.page.sign-in/public/images
 directory.
Try it out
Follow the steps given below:
Start the WSO2 IoT Server's core profile.
cd <IOTS_HOME>/bin ./iot-server.sh
Access the device management console:Â
https://<IOTS_HOST>:<IOTS_HTTPS_PORT>/devicemgt
- By default,Â
<IOTS_HOST>
 isÂlocalhost.
 However, if you are using a public IP, the respective IP address or domain needs to be specified. - By default,Â
<IOTS_HTTPS_PORT>
 is set to 9443. However, if the port offset is incremented byÂn
, the default port value needs to be incremented byÂn
.
- By default,Â
- Click Sign in with OpenID Connect.
You are redirected to the OpenID connect log in page. - Enter bob as the username and bob as the password, and click Login. This is the default username and password for the IdentityServer4 demo site.
Once the authentication is successful, you are redirected to the device management console.Â
Congratulations! You have successfully configured setting up federated IdP with OpenID Connect for WSO2 IoT Server.
When starting off the user bob did not exist in WSO2 IoT Server. Because you configured JIT provisioning for the IdP, you see that a new user is created under Users in the WSO2 IoT Server device management console. The new users name is denoted by as a string of integers, such as 88421113.
Follow the steps given below to check the role of the user that got created:
- Access the IoT Server management console.
- On the Main tab in the Management Console, click List under Users and Roles.
- Click Users. This link is only visible to users with the Admin role.
- Click View Roles next to the new user.
TheInternal/devicemgt-admin
role is assigned because you configured WSO2 IoT Server to assign this role to all the JIT provisioned users in step 6 when configuring the WSO2 IoT Server IdP.