Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Integrating OAuth API Gateway with SAML Identity Provider

DZone's Guide to

Integrating OAuth API Gateway with SAML Identity Provider

In this post, we take a quick look at how you can integrate OAuth with the SAML identity provider when using WSO2's API Cloud. Read on for the details.

· Integration Zone ·
Free Resource

The Future of Enterprise Integration: Learn how organizations are re-architecting their integration strategy with data-driven app integration for true digital transformation.

OAuth2 is the modern standard of providing security for REST and SOAP APIs. However, a lot of enterprises have existing SAML Identity Providers (IdP) and that they use as their internal authentication standard. They would like their web and mobile applications to have end-users authenticate with these existing providers and then translate that to OAuth, enforce access and policies, and pass the calls to the backend.

Today we will talk about how this works in the case of WSO2 API Cloud:

Image title

Configuration:

  • Configure the cloud to trust the IdP.
  • In the Developer Portal (API Store), create your application and get its OAuth consumer secret and consumer key.

Now, let’s look at the way the actual authentication and API usage happens in the diagram above:

  1. Your web or mobile app asks the end-user to log in as it normally would.
  2. Your corporate Identity Provider (IdP) checks credentials and issues the SAML2 token.
  3. Now the application needs to generate the personalized OAuth2 token for that end-user and that app. For that, it invokes the API gateway’s Token API and passes consumer secret, consumer key, and the SAML2 token.
  4. The API gateway validates the SAML assertions with the IdP. If particular API Scopes are requested, the gateway also checks to see if the roles with which the scopes are associated match the roles in the SAML assertions.
  5. If validation is successful, API gateway returns the OAuth token and refresh token. The refresh token can be used to renew the OAuth token when it expires.
  6. Now the application has the OAuth token it needs and can use it to invoke the actual APIs.
  7. The API gateway uses the OAuth token to identify the end-user, apply security and throttling policies, collect analytics data, and pass the calls to the backend. When the backend is invoked, end-user and application information is passed as JWT token.

That is it. See our documentation page for the specific configuration steps and token API calls, and use API Cloud’s Support menu if you need any help.

Make your mark on the industry’s leading annual report. Fill out the State of API Integration 2019 Survey and receive $25 to the Cloud Elements store.

Topics:
oauth ,api ,saml ,integration ,wso2

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}