Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Integrating OAuth API Gateway with SAML Identity Provider

DZone's Guide to

Integrating OAuth API Gateway with SAML Identity Provider

In this post, we take a quick look at how you can integrate OAuth with the SAML identity provider when using WSO2's API Cloud. Read on for the details.

· Integration Zone ·
Free Resource

The new Gartner Critical Capabilities report explains how APIs and microservices enable digital leaders to deliver better B2B, open banking and mobile projects.

OAuth2 is the modern standard of providing security for REST and SOAP APIs. However, a lot of enterprises have existing SAML Identity Providers (IdP) and that they use as their internal authentication standard. They would like their web and mobile applications to have end-users authenticate with these existing providers and then translate that to OAuth, enforce access and policies, and pass the calls to the backend.

Today we will talk about how this works in the case of WSO2 API Cloud:

Image title

Configuration:

  • Configure the cloud to trust the IdP.
  • In the Developer Portal (API Store), create your application and get its OAuth consumer secret and consumer key.

Now, let’s look at the way the actual authentication and API usage happens in the diagram above:

  1. Your web or mobile app asks the end-user to log in as it normally would.
  2. Your corporate Identity Provider (IdP) checks credentials and issues the SAML2 token.
  3. Now the application needs to generate the personalized OAuth2 token for that end-user and that app. For that, it invokes the API gateway’s Token API and passes consumer secret, consumer key, and the SAML2 token.
  4. The API gateway validates the SAML assertions with the IdP. If particular API Scopes are requested, the gateway also checks to see if the roles with which the scopes are associated match the roles in the SAML assertions.
  5. If validation is successful, API gateway returns the OAuth token and refresh token. The refresh token can be used to renew the OAuth token when it expires.
  6. Now the application has the OAuth token it needs and can use it to invoke the actual APIs.
  7. The API gateway uses the OAuth token to identify the end-user, apply security and throttling policies, collect analytics data, and pass the calls to the backend. When the backend is invoked, end-user and application information is passed as JWT token.

That is it. See our documentation page for the specific configuration steps and token API calls, and use API Cloud’s Support menu if you need any help.

The new Gartner Critical Capabilities for Full Lifecycle API Management report shows how CA Technologies helps digital leaders with their B2B, open banking, and mobile initiatives. Get your copy from CA Technologies.

Topics:
oauth ,api ,saml ,integration ,wso2

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}