SAML SSO — WSO2 API Manager and KeyCloak — Part 01

Single sign-on is one of the most used features in day to day life. Knowingly or unknowingly while you are checking your Gmail in the browser, if you open another tab for youtube, you 'll be signed on to the youtube with the same google account you are using for accessing Gmail.

When you are using the WSO2 API manager, it is better if you can use the same feature for accessing WSO2 API manager publisher or store pages with this single sign-on feature. By default, there are articles/documents on how to configure single sign-on (SSO) for WSO2 API Manager like bellow

However, most of the samples are based on using the WSO2 identity server for this SSO configurations. In this story, we are trying to NOT to use WSO2 Identity Server for SSO configuration. Instead of that, we are trying to use KeyCloak as the identity provider for SSO configuration.

You may have already come across the following article from one of my teammates on configuring SSO with Keycloak for WSO2 API manager.

If you check closely, The client protocol that has been used in the above article is OpenID-connect. Here I have followed the same path, But I am using SAML as the client protocol for this story.

In order to provide you samples, I am using the up to the date latest version of keycloak which is 8.0.1 Standalone server distribution and the API Manager version 2.6.0 latest WUM updated version.

Let's start with keycloak by navigating to the bin directory

Once it is started you 'll be able to access the keycloak management console with the URL

You can see that there are no users as we just started the server. Now you can create a user for accessing the administration console. Here I am creating a user called admin with password admin. Once created, you 'll be navigated to the following page. Then click on the Administration Console link.

Then you 'll be navigated to the following page.

Once you provided the previously created credentials, you 'll be logged in to the console as bellow.

By default, you 'll be directed to the Master Realm and you can add any other realm if you need it. Our next step is to add a client. So, click on clients from the left menu.

You can see there are multiple clients by default.

Now we need to create a new client for configuring SSO for WSO2 API Manager. In order to get the required information, It is better you open the following file of the WSO2 API manager in another teminal.

Once you open it, you can see following information from there.

In order to create a client in the key cloak side, we are using the issuer as the Client ID. Then we use the Client Protocol as saml and the Client SAML Endpoint field will the Assertion Consumer URL of the publisher which is https://localhost:9443/publisher/jagg/jaggery_acs.jag as listed in point 5 in the document below.

Once it is created, it will like bellow.

As we are not dealing with certificate exchanges at the moment, let's turn off the Client Signature Required field as bellow.

Now, let's move to the API Manager side. As we opened the site.json file in Publisher, We need to edit the following fields on that file.

Under the SSOConfiguration block, We have to change the values as bellow.

  1. enable → true
  2. identityProviderURL → http://idp.keycloak.com:8080/auth/realms/master/protocol/saml
  3. responseSigningEnabled → false
  4. assertionSigningEnabled → false
  5. idpInitSSOURL → http://idp.keycloak.com:8443/auth/realms/wso2Publisher/protocol/saml?spEntityID=API_PUBLISHER

Once you changed, they ll look like bellow.

If you have noticed, I have used idp.keycloak.com as the hostname. In order to get it working, Make sure that you add a host entry for the /etc/hosts file as bellow.

Now you can start the WSO2 API Manager 2.6.0. Once started, try to access the Publisher page with the URL

Once you access the above URL, you will be redirected to the following page.

Once you provide our default admin/admin as the credentials you will be authenticated and redirected to the Publisher page as bellow.

We can do a similar configuration for the WSO2 API Store SSO configuration as well.

Are we done??

Nooooooooo…

You logged in successfully Since we had the default admin/admin user in API Manager as well. In order to get it working for all the users, We have to share user stores and roles between Keycloak and WSO2 API Manager.

We 'll show you that with PART 2 of this story.

Enjoy!!!!

Architect and Associate Director of WSO2 Inc, Leading the Customer Success team in USA region