Enabling SAML SSO for WSO2 APIM-3.2 Management Console
A sample Tutorial on enabling SAML SSO for APIM Management Console.
Hello Everyone!
As you all know by now if you read the title, This tutorial is all about configuring SAML based SSO for WSO2 APIM management console by using WSO2 Identity Server as the Identity provider. Even though APIM 3.2.0 provides SSO for APIM products such as the developer,publisher and the admin portal, SSO is not available for the management console out of the box.
However, It is very easy to enable SSO to the management console as well.
Disclaimer: Even Though it is possible to enable SSO for the APIM Management console, It is not recommended to do so since this could result in security vulnerabilities. However, If the need arises and you have to enable SSO for the APIM management console, Keep reading..
👐 Let’s get started!
In this tutorial I will be using APIM 3.2.0 with WSO2 IS 5.10.0
APIM is running with an offset of 1 in order to avoid port conflicts. You can enable the port offset by navigating to the deployment.toml file located in the <APIM>/repository/config directory and setting the offset parameter to 1
✋Lets first configure our Service provider at the WSO2 IS.
Navigate and login to the carbon console of the Identity Server. [https://localhost:9443/carbon/admin/login.jsp] and add a new service provider. Give the provider a name and register.
Navigate to the Inbound Authentication Configuration section and edit the SAML SSO configurations.
Edit the configurations as below,
Issuer * : apim (Enter the previously provided provider name)
Assertion Consumer URLs * : https://localhost:9444/commonauth (Change the port according to your offset )
Response Signing Algorithm: rsa-sha256
Enable Response Signing
Enable Signature Validation in Authentication Requests and Logout Requests
Enable Single Logout
Your configurations should look like this,
Update the Service provider configurations upon adding the above configurations.
✋ Next,Let's configure the IS as the IDP from the APIM side.
Navigate to the deployment.toml file of the APIM located in <APIM>/repository/config directory and add the below configurations:
[admin_console.authenticator]
saml_sso_authenticator.enable = true
saml_sso_authenticator.config.ServiceProviderID = "apim"
saml_sso_authenticator.config.IdentityProviderSSOServiceURL="https://localhost:9443/samlsso"
saml_sso_authenticator.config.AssertionConsumerServiceURL = "https://localhost:9444/acs"
saml_sso_authenticator.response_signature_validation_enabled = true
saml_sso_authenticator.assertion_signature_validation_enabled = falseEdit the above configurations to match the configurations in the IS Service provider and save.
Please re-start the APIM server after making the above alterations.
Voila!!! 🎉
Now you can try logging into the APIM Management console and you will be redirected to the SSO Login page of the WSO2 IS.
