Login to WSO2 API Manager with Azure Cloud Active Directory — Part 2

Shenavi de Mel

7 min readJul 12, 2018

Let’s just recap the scenario which we are trying to achieve by referring the diagram below again.

After following this post you would be able to see the flow described in the diagram above in action.

Prerequisites

Make sure you have completed all the steps in my previous post which covers the below scenarios [1]

Requirements for this tutorial:

a) An Azure AD subscription on the Azure Cloud [2]

b) An active directory SAAS app which has been registered and configured for SAML based SSO [3]

c) Users which have been added to the SAAS application and have been assigned to the required application roles. [4]

Assuming that you have followed the steps in my post[1] or you already have the needed requirements for this tutorial, let’s move on to the configurations for the WSO2 Identity Server and the WSO2 API Manager.

Setting up the Servers

1 Download the WSO2 API Manager and the WSO2 Identity Server from the http://wso2.com site.

2. Once you have downloaded the two servers extract them. I will be referring to the API Manager extracted folder as APIM_HOME and the Identity Server extracted folder as IS_HOME.

3. Navigate to the location IS_HOME/repository/conf/carbon.xml and set the value inside the “offset” xml tag to 2. After which Identity Server will run on HTTPS port 9445.

4. Enable the email username for both Identity Server and the API Manager following this documentation on the steps on how to enable it.

5. Follow the steps mentioned in this documentation to configure SSO for the API Manager Publisher and Store applications and also to share the internal userstores and registries between the two products.

6. Once you have completed these configurations, start up the server and verify that the single sign on works. For this step we will verify that the Store and Publisher SSO configurations have been setup correctly using Identity server as the IDP.

In the next step we are going to use Azure Cloud AD as the IDP for the SSO to these application. Let’s go through how we can configure Azure as a federated authenticator for the WSO2 API Manager Store and Publisher logins.

Configuring the Federated Authenticator for Azure AD

1. Before we configure the Identity Server we need to go back to the SSO application which we created in Azure to get some configuration parameters.

2. Login to the Azure admin portal and select the option “Enterprise Applications” and select the application which you created before.

3. Navigate to the “Single Sign on” tab where you will be presented with the settings of your Azure SSO application.

4. Go to the highlighted option at the bottom of the screen and click on it.

5. You will be navigated to another interface similar to the one below. Note down the values mentioned in the below screen. Also make sure to download the Base64 encoded SAML signing certificate and save it somewhere in your machine (we need to upload this to Identity Server later).

6. Let’s configure this on the Identity Server. Login as the admin user to the Identity Server Management console by accessing the URL https://localhost:9445/carbon

7. In the left menu select “Add” under “Identity Providers”.

8. Provide a unique name for your Identity provider and upload the certificate which you downloaded from Azure under “Identity Provider Public Certificate”. Once this has been done the UI will look something like below.

9. Next expand the federated authenticators section and select the “SAML2 Web SSO Configuration” option and provide the following properties which corresponds to the application you created on Azure.

Service Provider Entity Id : wso2is.550
NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

For the property “Identity Provider Entity Id” you need to provide the value “SAML Entity ID” from step 5.

Identity Provider Entity Id : https://sts.windows.net/75045f8f-bc3e-46b5-881f-c6584363a753/

For the property “SSO URL” you need to provide the value “SAML Single Sign-On Service URL” from step 5.

SSO URL: https://login.microsoftonline.com/75045f8f-bc3e-46b5-881f-c6584363a753/saml2

For the property “Logout URL” you need to provide the value “Sign Out URL” from step 5.

Logout URL: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

Now the configurations should look like below. Make sure you enter the corresponding values you received during your application registration with Azure.

Save the configuration. Now we have configured the federated IDP for Azure Active Directory successfully.

Claim Mappings and User Provisioning for Azure AD Federated Authenticator

Under the Identity provider which we were configuring expand the “Just-In-Time provisioning” tab and select the option “Always provision to User Store Domain”.
Next expand the “Claim Configuration” tab and then expand the “Basic Claim Configuration” tab.

If you can remember, we configured some claims when we were setting up the application on Azure end. Let me recall your memory with this image.

Here we will be mapping these claims on Azure AD onto the claims available in the WSO2 products in order to provision the attributes of these users logging in through Azure AD.

Refer the below mapping between the Azure AD claim and the WSO2 Identity Claims. The mapping is in the format “AD Claims:WSO2 Identity Claims” Likewise you can map any claims which you set on the Azure AD end to the Claims in the local userstore following the same pattern.

After the claim mapping configuration has been completed, this is what the claim config should look like. Make sure to select the subject claim and the role claim appropriately. In my sample I have set the subject claim as the “name” and the role claim as “memberOf”.

Next we need to do the role mappings.

Expand the “Role Configuration” tab under the Identity provider configuration and provide the role mappings as shown in the image below. If you can remember we created couple of custom roles in the Azure AD application and assigned our AD users to it. We need to map these roles into the roles of the API Manager for the SSO. For more information on the roles and access levels in API Manager you can refer this post

After you have completed all these steps you have completed registering the IDP for the federation with Azure AD for SSO.

Configuring the Publisher and Store apps to use the Azure AD federated login

In this step we will be modifying the two Service Providers which we created under the section “Setting up the Server” for the API Store and API Publisher.

1 List the created service providers by navigating to the “Service Providers” section in the left panel of the admin console. Select the Service provider registered for the API Store and edit it.

2. Expand the “Local & Outbound Authentication Configuration” and select the option “Federated Authentication”.

3. In the drop down list infront of the Federated Authentication option, select the Azure AD Federated authenticator which we just created and update the configuration.

4. Follow the same steps for the Publisher’s Service provider as well. Now when we try to login to the Store or Publisher applications it should prompt us to login with the Microsoft Azure login screen.

Testing the Solution

1 Navigate the API Store using the URL https://localhost:9443/store/?tenant=carbon.super and select to Sign In.

2 You will be prompted with the Microsoft login prompt. Enter an email of a user which you previously added to Azure AD. (Make sure you have assigned the required role on the Azure end for this user. I have assigned the AdminUser role to this user in Azure AD)

If this is the first time you are logging in it will prompt to reset your password as well. Once you have completed the login through the Azure AD then you will SSO into the store portal and your Azure username would be set.

That concludes the setup. Hope you have been able to successfully federate user who are in the Azure Cloud AD to login to the WSO2 API Manager using SSO with the SAML protocol.

If you face any issues or need help with the configuration or setup please feel free to drop a comment.