Using Asgardeo as an IdP¶
Follow the instructions below to use Asgardeo as the Identity Provider (IdP) to authenticate the APIs that belong to a specific Organization:
Step 1 - Create root Organization¶
Create an organization in Asgardeo.
Step 2 - Create a Sub-Organization.¶
Create a sub-organization in Asgardeo within the organization that you created.
Step 3 - Create a user¶
Create a user within the sub-organization that you created.
Step 4 - Create an application¶
- Create an application within the main organization that you created in Step 1.
- Click on the newly created application.
-
Click on the Info tab to view the IDP related configurations.
All the IDP related configurations are listed under Service Endpoints.
Step 5 - Add a new token issuer for the IDP¶
-
Access the endpoints that correspond to the application, which is available in the asgradeo portal.
-
Create two file named
idp-system-token-issuer.yaml
andidp-org-token-issuer.yaml
add the following content to it.Parameter Description issuer:
The IdP's issuer URL. jwksEndpoint:
The URL of the IdP's JSON Web Key Set (JWKS) endpoint. usernameClaim:
The claim in the IdP's token that represents the user's username. organizationClaim:
The claim in the IdP's token that represents the user's organization, This should always be orgId
.organization:
The organization of IDP. To invoke system APIs, this should be apk-system
. To invoke particular organizaiton's APIs, this should be organization claim value.apiVersion: dp.wso2.com/v1alpha1 kind: TokenIssuer metadata: name: auth0-idp-issuer spec: claimMappings: - localClaim: x-wso2-organization remoteClaim: org_id consumerKeyClaim: azp issuer: https://<asgardeo.domain>/ name: new-service-provider organization: apk-system scopesClaim: scope signatureValidation: jwks: url: "https://<asgardeo.domain>/.well-known/jwks" targetRef: group: gateway.networking.k8s.io kind: Gateway name: default
apiVersion: dp.wso2.com/v1alpha1 kind: TokenIssuer metadata: name: auth0-idp-issuer spec: claimMappings: - localClaim: x-wso2-organization remoteClaim: org_id consumerKeyClaim: azp issuer: https://<asgardeo.domain>/ name: new-service-provider organization: default scopesClaim: scope signatureValidation: jwks: url: "https://<asgardeo.domain>/.well-known/jwks" targetRef: group: gateway.networking.k8s.io kind: Gateway name: default
-
Run the following commands to add the token Issuers to APK.
kubectl apply -f idp-system-token-issuer.yaml
kubectl apply -f idp-org-token-issuer.yaml
Optional
If you need to configure the IdP as the primary IdP instead of adding multiple IdPs, execute the following steps as the 5th step.
Step 5 - Update the Helm Chart¶
- Follow the instructions outlined in Customize Configurations. These instructions will guide you through the process of acquiring the
values.yaml
file. Open thevalues.yaml
file. - Update the IDP related configurations in the
idp
section. -
Create a K8s Secret with retrieved
clientId
andclientSecret
from Step 4 with nameapk-idp-secret
.idp: issuer: "" jwksEndpoint: "" usernameClaim: "" organizationClaim: ""
organizationClaim
- This should always beorg_id
.- Update all other values based on the Service Endpoint details that you came across in Step 4.3.
Step 5.1 - Install WSO2 APK¶
helm install <helm-chart-name> .
helm install apk-test .
Step 6 - Generate an Access Token¶
- Open Postman and create a new request to generate the auth code token.
- Navigate to the Authorization tab of the request.
-
Make sure that the Token generation call has the same information that was entered in the Helm Chart in Step 5.
Auth URL
Access Token URL
Client ID
Client Secret
CallBack Url
Scopes - (rest API related scopes + openid)
-
Click Get New Access Token.
This redirects you to the Asgardeo Sign in page.
-
Click Sign in with Organization Login.
- Enter the name of the organization that you created in Step 1.
- Click Submit.
-
Enter the user credentials (email and password) of the user that you created in the sub-organization.
You will receive an access token when the token call is successful.
Step 7 - Invoke the APIs¶
Use the JWT token that you received in the previous step to invoke the System APIs and other APIs.