Open in app

Sign in

Write

Sign in

Auth0 with WSO2 APIM + IS-KM

Dinali Rosemin Dabarera
6 min readFeb 2, 2019

Auth0 is one of the leading authentication and authorization platform available in the market. If you wish to integrate this identity provider with your WSO2 API market platform, please follow these instructions. This will make your life easier.

One thing to be noted is that Auth0 is using the email address as the username in its user management. It also has its own LDAP system to manage users. Hence, if you want to plug this Auth0 platform to your APIM market place, this is the best option to follow.

Step 1: Configure IS + KM setup with email as username enabled.

As all the users are available in Auth0 and in order to generate access tokens to call APIs we need to onboard those users to the WSO2 APIM side. In order to provision, users to WSO2 APIM side from Auth0 side, we need to create a WSO2 APIM + IS_KM setup. Hence, this step is to configure APIM+KM setup.

You can follow the Configuring WSO2 Identity Server as a Key Manager documentation to configure this IS_KM and APIM setup.

Next, before restarting the servers we need to configured email as username feature in this APIM + IS_KM set up as Auth0 supports only the email as the username. You can follow the documentation [1] for this.

After configuring this you will encounter a data publishing issue, for this, you can apply the fix available here.

Step 2: Start the servers APIM and IS_KM

  • Configure jave_home in your Environmental variables and add it to the java class path
  • Go to the <Carbon-Home>/bin folder and run as below if you are running on windows machine: wso2server.bat run

More information: https://docs.wso2.com/display/IS570/Running+the+Product

Step 3: Configure SSO for store and publisher in APIM

Follow the steps 1 to 3 in this doc to configure SSO store and publisher in WSO2 APIM and restart the APIM

Step 4: Adding API_PUBLISHER and API_STORE as a Service Provider

1. Configure API_PUBLISHER as service provider first.
2. Select Add under the Service Providers menu.

3. Give a service provider name and click Register.

4. In a multi tenanancy environment, for all tenants to be able to log in to the APIM Web applications, do the following:

a). Click the SaaS Application option that appears after registering the service provider.

If not, only users in the current tenant domain (the one you are defining the service provider in) will be allowed to log in to the Web application and you have to register new service providers for all Web applications (API Store and API Publisher in this case) from each tenant space separately. For example, let’s say you have three tenants as TA, TB and TC and you register the service provider in TA only. If you tick the SaaS Application option, all users in TA, TB, TC tenant domains will be able to log in. Else, only users in TA will be able to log in.

b). Add the following inside the <SSOService> element in the <IS_HOME>/repository/conf/identity/identity.xml file and restart the server.

<SSOService> <UseAuthenticatedUserDomainCrypto>true</UseAuthenticatedUserDomainCrypto>

</SSOService>

If not, you get an exception as SAML response signature verification fails.

c.) Because the servers in a multi-tenanted environment interact with all tenants, all nodes should share the same user store. Therefore, make sure you have a shared registry (JDBC mount, WSO2 Governance Registry etc.) instance across all nodes.

d.)Next navigate to the detailed configuration page. Inside the Inbound Authentication Configuration section, expand SAML2 Web SSO Configuration and click Configure.

e.) To enable tenant specific SSO with IS 5.7.0 for API_PUBLISHER and API_STORE, enable Use tenant domain in local subject identifier under the Local & Outbound Authentication Configuration section.

f.) Provide the configurations to register the API Publisher as the SSO service provider. These sample values may change depending on your configuration.

  • Issuer: API_PUBLISHER
  • Assertion Consumer URL: https://localhost:9443/publisher/jagg/jaggery_acs.jag . Change the IP and port accordingly. This is the URL for the Assertion Consumer Services (ACS) page in your running publisher app.
  • Select the following options: Enable Response Signing, Enable Single Logout

g.) Click Register once everything done.

For example:

h.) Similarly, provide the configurations to register the API Store as the SSO service provider. These sample values may change depending in your configuration.

  • Issuer: API_STORE
  • Assertion Consumer URL: https://localhost:9443/store/jagg/jaggery_acs.jag . Change the IP and port accordingly. This is the URL for the Assertion Consumer Services (ACS) page in your running Store app.
  • Select the following options: Enable Response Signing, Enable Single Logout
  • Click Register once done.

Make sure that the responseSigningEnabled element is set to true in both the following files:

<API-M_HOME>/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json

<API-M_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json

Step 5: Configure Auth0 as an IDP in WSO2 IS_KM

  1. Create an IDP called Auth0 by clicking on Add in Identity Providers

2. Next, import the certificate of Auth0 and let other information keep as it is.

3. Next configure the Federated Authenticators configuration with Auth2/OpenID connect configurations as follows in the image. In additional query parameters add following string there — scope=openid email profile&prompt=login

4. Next add claims configurations as below to map the email in the id_token to emailaddress claim of IS-KM

5. In order to login to store and publisher, the provisioned user have to have roles like Internal/publisher, Internal/creater, Internal/subscriber . Hence, we need to map roles coming from Id_token to these three roles in IS.

Note: Remember to configure roles to be send in the ID_token sent by Auth0. If not this mapping won’t work.

6. Enable, silent JIT provisioning

7. Click on Register. You can see a new IDP called Auth0 will be added.

Step 5: Configure Auth0 as the Federated IDP in configured SPs

  1. Edit the service providers(API_STORE, API_PUBLISHER) you created earlier and update the Local & Outbound Authentication Configuration to configure the Federated Authenticator as Auth0 as given below image

2. Click on update.

After having all these configurations, you are now ready to log in. You are now able to login to the store and publisher via Auth0. The user in Auth0 will be created in APIM+KM set up as well.

If your Auth0 doesn’t send roles via id_token, the first time the user login will fail by giving a page as below.

  • But when you list users in management console you should be able to see the user in Auth0 is available in IS_KM as well.
  • Next assign the Internal/publisher, Internal/creator and Internal/subscriber role to that user.
  • Now again try to login to the publisher via Auth0, the user now will be able to login without issue.

The only way to resolve this issue is to provide publisher, store and creator permissions to the Internal/everyone role including login permission. Then the users who provisioned to the APIM market place can access APIs, create APIs and publish APIs without any issue.

Hope you enjoy reading this, leave your comment below and clap my blog post so that I can keep on testing and writing stuff to make all your life easy with WSO2 products.

Wso2
Auth0
Wso2 Apim
Wso2is

--

--

Dinali Rosemin Dabarera

Written by Dinali Rosemin Dabarera

198 Followers

Integration Consultant (IAM) @ Yenlo Nederland B.V, specialized in WSO2 IAM, an Identity Evangelist, a blogger, a nature lover, a backpacker

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams