SAML SSO — WSO2 API Manager and KeyCloak — Part 02
I hope you already went through my previous story about the basic configuration for WSO2 API Manager with KeyCloak.
In that Story, We just configured it for the admin user. Luckily, It is the same default user we have in WSO2 API Manager also. But when it comes to the real-world situation, We don't have the same user exposed to both key-cloak and WSO2 API Manager. In those situations how we can deal with?
WSO2 API manager by default having multiple components as API Publisher/ API Store/ API Gateway and Key Manager. When we configure the Single Sign-On feature, We focus mainly on API Publisher and API Store components. In order to log on to these web interfaces, A particular user needs to have the following default roles come with API Manager or any custom role with the required permissions.
As you see below, If the user has Internal/publisher role, he/she can log in to the publisher with correct credentials. In the same way, If the user has Internal/subscriber role, he/she can log in to the store with correct credentials.
If the user does not have any of the above roles, It needs to have a role with required permissions. All those required permissions can be found in the following documentation
So what will happen when a user which is available in the user store tries to login to the publisher?
He will be authenticated. But not authorized. Because of that, the user will not be able to log in.
Generally, If there is a possibility the have Just In Time(JIT) Provisioning configuration, It can configure to provision the user to the local user store after the authentication and assign the required roles.
But for WSO2 API Manager 2.6.0 , We don't have this Just In Time Provisioning feature. So, we can not use it here.
So, the only option we have is to share the user store with API Manager and KeyCloak at the same time.
However, with the latest addition of WSO2 API Manager, There is inbuilt feature of Key Cloak configuration.
Please refer to the API Manager 4.0.0 documentation for that : https://apim.docs.wso2.com/en/latest/administer/key-managers/configure-keycloak-connector/