Login to WSO2 API Manager with Azure Cloud Active Directory — Part 1
When we setup WSO2 API Manager in production deployments it’s expected that users are reluctant to create a new account or self sign up. In most cases the users would be having other logins which they might prefer to use to login to the API Manager without having to repeat tasks of creating each and every user manually in the user store and providing access.
What is Identity Federation??
Identity Federation is linking a person’s electronic identity and attributes, stored across multiple distinct identity management systems. In other words Identity federation facilitates the ability of integrating users across multiple user bases to your application using various authentication protocols. You can read more on Identity federation here.
Identity Federation with Azure Cloud Active Directory
Within the course of this article I will be discussing on how you can federate the users which are in your Azure Cloud Active Directory to single sign on into the WSO2 API Manager and use it’s functionalities. This does not require any connectors or plugins but allows users to be authenticated using the SAML protocol by carrying out some configurations of Azure as well as on our WSO2 servers. We chose the SAML protocol here since WSO2 API Manager includes SSO with the SAML 2.0 feature that’s implemented according to the SAML 2.0 Web browser-based SSO support facilitated by WSO2 Identity Server.
Let’s take a look at the diagram below to understand the flow of events which will take place during the federation with Azure Cloud AD.
- A user clicks on the Publisher or Store Portals of the API Manager.
- The login request will be forwarded to the WSO2 Identity Server which acts as our main Identity Management interface.
- The WSO2 Identity Server will then send the SAML request over to the external SAML IDP which is Microsoft Azure.
- On validation of the SAML request it will then prompt the user to login with his/her Azure AD (Active Directory) credentials.
- On successful authentication of the Azure AD user it will then send back the SAML response to the Identity Server.
- Identity Server will then provision the user into our internal JDBC userstore used by the WSO2 products as the user database.
- If the authenticated user has the required privileges of access then they will successfully SSO into the store/publisher applications.
Step by Step guide on Configuring Azure Cloud AD as a federated authenticator
This tutorial consists of two parts.
Setting up Azure to act as a federated Authenticator for SAML based SIngle Sign On: https://medium.com/@shenavi21/connect-users-in-azure-cloud-active-directory-with-wso2-api-manager-part-1-569425460c1
Configuring WSO2 products for Single Sign on using Azure as a federated authenticator: https://medium.com/@shenavi21/connect-users-in-azure-cloud-active-directory-with-wso2-api-manager-part-2-5054a51363ac
Creating a azure account for the tutorial
1 Create a free business account with the Microsoft portal. (You will find an option as “Try for free” at the bottom of the page)
2. After you have successfully completed the business account creation then let’s navigate to the admin portal of Azure. To open up the admin portal click on this link. (Make sure that you login using the username generate at step 1).
Adding users to our Azure Active directory
1 An Azure active directory would have already been created for you.
2. Now we are going to add some users to it. If you click on the active directory option in the left panel you can see that one user has already been created, this is the user which you registered with. Similar to that let’s create a couple more users.
3. Select the option users from the left panel. And then select to add a new user. When creating the users you should make sure to use the same domain which you registered your account with. Eg: My account domain is sheni123.onmicrosoft.com. When creating your users they need to have a format such as username@sheni123.onmicrosoft.com. Refer the image below.
** Make sure you copy down the default password which has been set for each user. At the initial login the user will be asked to reset his/password therefore having this value is important.
4. After you register couple of users, let’s configure the Azure AD to act as a SAML based Identity Provider for our federated authentication scenario. In this configuration we will be creating it to validate against the WSO2 Identity Server.
Configuring Azure to act as a SAML based Identity Provider for Web SSO
1. In order to create a Single Sign on application in Azure you need to have a premier Azure account. Since we are using the trial account let’s enable a free premium trial account by going to this link. Once you have created the free account we can proceed to the next step.
2. Let’s create the application on Azure. You can use this documentation as a guide as well to create this application. Select the “Enterprise Applications” option from the left menu and select the “Add Application” Option. After that Select a “Non Gallery Application” from the applications listed in the screen.
3. Once you add this application you will be prompted with some options. Make sure to select “Configure Single Sign On Required” option from the list.
4. Next select the single sign on mode as “SAML based single sign on”.
5. Let’s now configure the application to communicate with the Identity Server during the SAML based federation. Add the following values under the “Domain and URLs” section.
Identifier : wso2is.550
Reply URL : https://localhost:9445/commonauth (The port mentioned as 9445 here needs to be the HTTPS port of WSO2 Identity Server. In my setup I am running with port offset 2)
Sign on URL : https://localhost:9445/samlsso
Your configuration for this application should look like the one below.
6. Configuring the AD user claims: Let’s configure the claims which will be passed in the SAML response to Identity Server during the federation. Refer the below diagram to configure the claims.
** Make sure that you have a property which captures the user’s assigned roles. In my attribute list it is captured by the “memberOf” attribute. Adding this is very important since we will be using this property to carry out the role mappings when configuring the Identity Provider on the WSO2 Identity Server end.
After you have completed this save your changes. We will come back to this during the Identity Server configuration later as we need some generated configuration values from this application.
Adding custom roles
Before we proceed to adding users to our application lets create some new application roles for these users. Follow this Microsoft documentation on how to create custom roles. Make sure you use the same credentials which you used for all these configurations when logging into the graph explorer as well.
Create the following roles.
- Creator
- AdminUser
- Publisher
- Subscriber
After you have added the above mentioned custom roles following this guide, you can proceed to the next step where we will be be assigning these roles for our users residing in the active directory.
Adding Users to your gallery application
In this step we would be assigning users from our active directory into our Azure application. Unless we have users authorized to this application they would not be able to perform the login using federation.
1 Select the gallery application which you just created. And select on “Users and Groups”.
Select “Add User”
Select any user and then assign the role “AdminUser” to it. Refer the images below on how you can achieve that.
Now we have completed the configurations needed for the federation on the Microsoft Azure end. In my next post I will explain how the Single Sing On using federation can be configured using the API Manager and the Identity Server.
Go to this link for the next part of this post to see this in action.
References
[1] https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps
[2] https://docs.microsoft.com/en-us/windows/uwp/publish/add-users-groups-and-azure-ad-applications
