Allow federation login for WSO2 Identity Server Console application
Hi folks,
Today we are going to discuss about how we can allow the federated user login for WSO2 Identity Server Console application. This Console application is the default application provided by WSO2 Identity Server to perform administrative tasks on an organization.
Let’s talk about the use case.
I have an organization called “Ministry of Health” and there are few administrative personels in this organization. I already have an entity where we maintain the user details and that entity can behave as an Identity Provider as well. So now I am moving with WSO2 Identity Server and Can I give permission to my existing administrators for the Console application to perform the administrative tasks?
The answer is YES YOU CAN!!!
Let’s see what you need to do.
Since we already have an IDP with the administrators, we need to assign groups for them in the IDP side. Assume that I have two administrators and one (Let’s say Alex) should have the full access and other one (Let’s say Bob) should only have user management related access. For this blog I am using Asgardeo as my IDP.
Now create an application in the IDP side to act as the connection for the authentication. In this application enable the code grant and add the Authorized redirect URL as https://localhost:9443/commonauth. Also since we need the groups and the First Name and Last Name data, select those from the attributes tab.
IDP is now configured properly. Let’s move to the configurations on Identity Server side.
As the first task on Identity Server side, we need a Connection to connect with the federated identity provider.
- Start the Identity Server and login to the Console using the default admin credentials (Default username : admin, password : admin).
- Go to Connections -> New Connection -> Select Standard-Based IdP.
- Select OpenID Connect as the protocol and add the the name of the connection.
- Add the Client id, Client secret, Authorization endpoint URL and Token endpoint URL. These can be found from the application that we created in the IDPs side.
- If you need to validate the signed responses, add the JWKS or the Certificate of the IDP and click Finish.
- Click on Set up link on the created IDP, go to Settings tad, add groups and profile as scopes and update. These will be requested from the IDP.
- If you want to logout the federated user from the IDP as well, add the IDPs logout URL to the Logout URL -> Update.
- Go to Just-in-time Provisioning tab -> Enable Just-in-time(JIT) User Provisioning -> Select Provision silently as the Privisioning sceheme -> Update.
- Go to Groups tab -> New Group -> Add MOH_Administrator -> Create.
- Repeat step 8 for MOH_User_Administrator group.
Connection configuration part is done. Now let’s confige the Console application.
- In the Console application, go to Console Settings -> Login Flow -> Add Sign In Option (In the illustration of the login page) -> Select the IDP -> Click on Add -> Click on Update.
- Go to Roles tab -> Click on Administrator role -> Groups tab -> Select MOH_Administrator group from the federated IDP resides in the External Groups section -> Click on Update.
- In the Roles tab you can create a role for User Management part and add the MOH_User_Administrator IDP group to the created group.
Now the Console application configuration is also done. Let’s test the flow.
- Invoke Console application URL : https://localhot:9443/console.
2. Click on Sign In With Ministry of Health. You will be redirected to the IDP configured.
3. Alex now have the full access to the Console application features since Alex has the MOH_Administrator group which is assigned to Administrator role in Console application.
4. Sign out from the Console application and again click on Sign In With Ministry of Health and you will be redirected to the login page of IDP again. Now login with Bob and Bob has the User Management features enabled in Console application.
Congratulations !!!!! You have successfully configured the federation user login for Console application in WSO2 Identity Server. Hope this helps you to explore more on WSO2 Identity Server.
See you on the next blog… See yaa …..