# WSO2 Identity Server as IDP for OIDC-SSO
To set up the IDP you need a running instance of WSO2 Identity Server with a configurable realm.
# Preamble
The Enterprise Edition (EE) server and client support the OIDC protocol that allows you to configure an external service as IDP (identity provider) for SSO (single sign on). This guide here will explain how to configure WSO2 Identity Server as OIDC-IDP for SSO. We assume that:
- your WSO2 Identity Server instance is running on https://wso2.example.com,
- your webclient can be accessed on https://psono.example.com
- the server is reachable at https://psono.example.com/server (e.g. https://psono.example.com/server/info/ shows you some nice json output).
This is your first OIDC provider that you want to configure (therefore we give it the ID "1").
TIP
This feature is only available in the Enterprise Edition.
# WSO2 Identity Server
Navigate to Service Providers and click on
Add.Enter a nice name and description
Configure claims as shown below
Configure OpenID Connect
Adjust config
Enter
https://psono.example.com/server/oidc/1/callback/as your callback url. Adjust the domain according to your setup.
Copy
OAuth Client KeyandOAuth Client SecretWe will need these two parameters later.
# Server (settings.yaml)
After setting up the IDP for the OIDC-Authentication it is time to configure your running Psono server to act as the SP. It is required that Psono can reach WSO2 Identity Server and vise versa.
Edit the settings.yml like so:
# Make sure the 'OIDC'-entry is present in the following list
AUTHENTICATION_METHODS: ['OIDC']
OIDC_CONFIGURATIONS:
1:
OIDC_RP_SIGN_ALGO: 'RS256'
OIDC_RP_CLIENT_ID: '9ydFzCGsjR5_fkaWuBij3S8OfWga'
OIDC_RP_CLIENT_SECRET: 'Z_1hBkB7QCU71XiPhfcI7bzTCksa'
OIDC_USERNAME_ATTRIBUTE: 'sub'
OIDC_OP_JWKS_ENDPOINT: 'https://wso2.example.com/oauth2/jwks'
OIDC_OP_AUTHORIZATION_ENDPOINT: 'https://wso2.example.com/oauth2/authorize'
OIDC_OP_TOKEN_ENDPOINT: 'https://wso2.example.com/oauth2/token'
OIDC_OP_USER_ENDPOINT: 'https://wso2.example.com/oauth2/userinfo?schema=openid'
AUTOPROVISION_PSONO_GROUP: false
AUTOPROVISION_PSONO_FOLDER: false
- Replace
OIDC_RP_CLIENT_IDandOIDC_RP_CLIENT_SECRETwith the Client key and secret - Replace the domain of all
OIDC_OP_...-parameters to match your domain - Change
AUTOPROVISION_PSONO_GROUPparameter and set it to true, if you want that Psono automatically creates a corresponding Psono group for any new OIDC group and an appropriate group mapping. - Change
AUTOPROVISION_PSONO_FOLDERparameter and set it to true, if you want that Psono automatically creates a folder with the same name as the group and shares it with the automatically created Psono Group. (RequiresAUTOPROVISION_PSONO_GROUPto be set to true to have any effect.)
TIP
Always restart the server after making changes in the setting.yml-file.
# Client (config.json)
Now you have to configure your client, so your users can use this configured IDP.
Basic
Update your config.json similar to the one shown below.
{ ... "authentication_methods": ["OIDC"], "oidc_provider": [{ "title": "OIDC Login", "provider_id": 1, "button_name": "Login " }] ... }The variable authentication_methods restricts the allowed login methods. In the example above only OIDC will be allowed and the normal login "hidden". The title and button_name can be adjusted however you like. The
provider_idneeds to match the one that you used on your server.(optional) Automatic login
You may want to "automatically" click on the login button to initiate the login flow. You can accomplish this by modifying the config.json as shown below:
{ ... "authentication_methods": ["OIDC"], "auto_login": true, ... }WARNING
This will only work if you have just one provider configured with only one authentication method. Users won't be able to modify the server url nor choose to register or interact with the login form in any other way.