How to Integrate Salesforce as the Identity Provider of WSO2 API Manager for Single Sign-On

DZone 's Guide to

How to Integrate Salesforce as the Identity Provider of WSO2 API Manager for Single Sign-On

In this tutorial, I will show you a quick example on how you can use Salesforce as the identity provider to access API Cloud web applications.

· Integration Zone ·
Free Resource

WSO2 API Manager is an open-source enterprise class solution for API Management. API developers and subscribers interact with API Manager through three web applications, which are publisher, store, and admin. In this tutorial, I will show you a quick example on how you can use Salesforce as the identity provider to access API Cloud web applications. You can folow the same steps to configure Salesforce IdP with an on-premise API Manager + Identity Server deployment.

WSO2 API Cloud is a public hosted version of WSO2 API Manager. Identity Cloud is the default identity provider of WSO2 API Cloud publisher, admin., and store applications. Your organization may already have setup Salesforce for different sales and marketing requirements and you want to allow it's users to access API Manager. In such cases, you can configure Salesforce as an external identity provider in WSO2 Cloud and allow your user to access API Cloud applications through Single Sign-on.

The following diagram depicts the authentication flow:

Image title

  1. The user visits the API Manager application.
  2. A SAML authentication request is sent to the Identity Server.
  3. Identity Server is configured to forward the authentication requests to Salesforce IdP.
  4. Salesforce prompts the login window and the user submits the credentials.
  5. An authentication success response is sent back to the Identity Server.
  6. Identity Server sends a SAML response to the corresponding API Manager application. Before sending the response, Identity Server stores (provisions) the permission information of the authenticated user in an internal user store. The API manager applications refer to this user store for authorization.

Salesforce Configurations

Step 1 — Setup Salesforce Identity Provider

  1. First setup salesforce as an identity provider by following the official documentation.
  2. After enabling SF as identity provider, download the certificate. For this tutorial, I used the default self-signed certificate provided by SF.

Step 2 — Define a Connected App for WSO2 Identity Server in Salesforce Identity Provider

  1. Go to setup and search for "App Manager" and select.
  2. Select ‘New Connected App’
  3. Check "Enable SAML" in "Web App Settings" and Configure a connected app with the below details and save.

SAML Service Provider Settings:

  • Entity Id: wso2is
  • Subject Type: Usename
  • ACS URL: https://identity.cloud.wso2.com/commonauth (If you are configuring this for a on-premise deployment, please provide the corresponding hostname here.
  • Name ID Format : urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • Idp Certificate: select the self signed cert from the drop down
  • Issuer: use domain configured in step 1 (ex: https://chalitha-sample.my.salesforce.com)

    Now you have setup the idp and created a connected app for WSO2 Identity Cloud.

4. After creating the app, go to setup and search for “Manage Connected Apps” and select.

5. Click on the the "wso2is" app we created.

6. Go to "Profiles" secrion and click "Manage Profiles".

7. Select Salesforce user profiles to restrict who can access the "wso2is" connected app.

Image title

Step 3 — Define User Roles

If you already have defined roles for your Salesforce users, you can skip this step.

  1. Go to setup and search for "Roles" and select. Create roles for developer, publisher, subscriber, and admin.Create Roles
  2. After creating new roles, you can assign your users to newly created roles through the UI or SOAP API.
    In this example, I created admin, developer, publisher, and subscriber roles and assigned users to them. I will provide following permissions to created roles later through the WSO2 Identity cloud.

    Users with developer role can access publisher app and create APIs.
    Users with publisher role can access publisher app and publish already create APIs.
    Users with subscriber role can access store app and subscribe to created APIs.
    Users with admin role can access store, publisher and admin apps.

    If your users already have roles, you can define your own permission model.
    Eg: Users with administrator role can access store, publisher, and admin. apps and create/publish APIs. All the other users can access store app and subscribe to APIs.

Step 4 — Add Role to the SAML Attribute Statement

The role of the authenticated user need to be sent to the WSO2 identity cloud for role based authorization. Therefore, you have to add the role to the connected app as a custom attribute.

  1. Go to setup and search for “Manage Connected Apps” and select.
  2. Click on the the "wso2is" app we created earlier.
  3. Go to “Custom Attributes” section and click on new.
  4. Provide “role” as attribute key and “ $UserRole.Name” as the attribute value and save.

Add role to attribute profile

After this is completed, successful SAML authentication responses will have the following attribute in the attribute statement:

<saml2:Attribute Name="role"
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

WSO2 Identity Server Configurations

Identity server configurations are done through the management console. WSO2 Identity Cloud management console is not publicly exposed at the moment. Therefore, you can follow the API Cloud documentation and submit a request with the required information to configure Salesforce IdP in Identity Cloud. WSO2 Cloud team will do the configurations on-behalf of you.

The following steps will be done when configuring Salesforce IdP in identity cloud. You can follow same steps and do the configuration in your on-premise identity server deployment.

Step 1 — Login to Management Console

Go to https://<identity_host>/carbon/admin/login.jsp and provide admin. credentials to login.

Step 2 — Create a JDBC User Store for Provisioning Authenticated Salesforce Users

This step is required for role based user authorization. On-premise deployments doesn’t need this if users are provisioned to the primary userstore.

  1. First, create a db and required tables for storing users.
  2. Select User Stores Add button from the main menu.
  3. Select “org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager” as the User Store Manager Class.
  4. Provide a domain name for userstore.
  5. Provide connection properties for accessing the user store database.
  6. Test the connection and click add.

Please note that you need to configure the same userstore in publisher/store nodes as well to

share the users for authorization.

JDBC Userstore configuration

Step 3 — Configure Salesforce as Identity Provider

Select Identity providers Add button from the main menu and provide following details:

Basic Information

  1. Identity Provider Name: salesforce
  2. Display Name: Salesforce
  3. Identity Provider Public Certificate: Upload the certificate we downloaded in Salesforce config step 1.

Role Configuration

Salesforce is sending the role of the authenticated user in the attribute statement according to the configuration we did in the Step 4 of the Salesforce configurations. These roles need to be mapped with the WSO2 identity server roles for user provisioning and authorization.
Internal roles are shared between all the userstores. Since we are using a secondary userstore, I mapped the Salesforce (IdP) role to internal roles. If you are using the primary userstore in your on-premise deployment, you can use the default roles.

Please note that the Internal/admin role doesn’t exist in a default APIM server. I manually created it under Internal domain and provided all the permissions.

Image title

Federated Authenticators > SAML2 Web SSO Configuration

  1. Enable SAML2 Web SSO: check
  2. Identity Provider Entity Id: Issuer name listed in the ‘wso2is’ connected app created in Salesforce config Step 2.
  3. Service Provider Entity Id: wso2is
  4. SSO URL: SP-Initiated Redirect Endpoint URL listed in the ‘wso2is’ connected app. Eg: https://chalitha-example.salesforce.com/idp/endpoint/HttpRedirect.

Just-in-Time Provisioning

Check “Always provision to User Store Domain” and select the created user store from the dropdown.

Step 4 — Configure a Service Providers for Accessing the API Cloud Apps

Select Service Providers Add button from the main menu and provide following details. If you already have an SSO configured on premise deployment, you can just do the configs in Local & Outbound Authentication Configuration section.

Basic Information

  1. Service Provider Name: API_PUBLISHER

Inbound Authentication Configuration > SAML2 Web SSO Configuration

  1. Issuer: API_PUBLISHER
  2. Assertion Consumer URLs: https://<publisher_hostname>/publisher/jagg/jaggery_acs.jag
  3. Enable Response Signing: check
  4. Enable Attribute Profile and Include Attributes in the Response Always: check

Local & Outbound Authentication Configuration

  1. Authentication Type: select Federated Authentication and select the salesforce IdP we created earlier.
  2. Select Use tenant domain in local subject identifier (only required for multi-tenanted environments like cloud) and Use user store domain in local subject identifier.

Image title
Now we have configured a service provider for accessing the API Publisher app. Similarly, create service providers for accessing API Store and API admin apps.

The following are the specific configs. for admin. and store apps:


Basic Information

  1. Service Provider Name: API_ADMIN

Inbound Authentication Configuration > SAML2 Web SSO Configuration

  1. Issuer: API_ADMIN
  2. Assertion Consumer URLs: https://<admin_hostname>/admin/jagg/jaggery_acs.jag


Basic Information

  1. Service Provider Name: API_STORE

Inbound Authentication Configuration > SAML2 Web SSO Configuration

  1. Issuer: API_STORE
  2. Assertion Consumer URLs: https://<store_hostname>/admin/jagg/jaggery_acs.jag

All the configurations are completed now. Now, when you access the API Publisher/Admin/Store apps, you will be redirected to salesforce login page. After successfully authenticating, you will be redirected to the corresponding application.

api management ,authenciation ,identity server ,integration ,single sign on

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}