Try a B2B use case¶
The following guide is a complete end-to-end use case on how to manage B2B (Business-to-Business) applications in Asgardeo.
Scenario¶
-
You are an administrator of Guardio Insurance, a company that provides insurance services to other organizations.
-
Best Car Mart has a partnership with Guardio Insurance to provide life insurance policies to its employees.
-
Guardio Insurance shares the following platforms with Best Car Mart.
-
Guardio Insurance Administrative App - An administration portal for Guardio customers. Best Car Mart administrators can manage users, assign roles, configure enterprise Identity Providers (IdP), and customize the login flow for their employees using this portal.
-
Guardio Insurance Business App - An application that provides insurance and claim settlement capabilities for their customers. Best Car Mart employees can access this portal for all their insurance needs.
-
The following guides explain how a Guardio Insurance administrator can use Asgardeo to implement the above scenario.
Prerequisites¶
You should create a root organization. For this example, we have created a root organization named Guardio Insurance
.
Onboard the organization¶
Guardio Insurance, as the service provider, functions as the organization (root). Best Car Mart should be set up as a child organization in Guardio Insurance.
Follow the create an organization guide and create an organization under the name Best Car Mart.
Set up the administrative app¶
The next step is to set up the applications that needs to be shared with your child organizations. Let's start with the administrative app.
Step 1: Register the administrative app¶
Follow the steps given below to register the Guardio Insurance administrative applications with Asgardeo.
- Login into the organization (root).
-
Register a traditional web application in your organization (root) with the following settings:
Application Name Add a name for the application. Guardio-Admin-App
Protocol The authentication protocol to use. OpenID Connect
Authorized redirect URLs The URLs to which the authorization code is sent upon authentication and where the user is redirected upon logout. http://localhost:3001/api/auth/callback/wso2isAdmin
http://localhost:3001
Step 2: Share the applications with organizations¶
Share the Guardio-Admin-App with the Best Car Mart organization. See instructions on how to share applications with organizations.
Note
When the application is shared with at least one organization, Sign In with SSO will be added as a login option in the application login screen, which organization users can use to log in.
Step 3: Configure the application on Asgardeo¶
To configure the registered application on Asgardeo:
On the Asgardeo Console, go to Applications and select the application you registered.
Protocol Configurations
-
Go to the Protocol tab of the application, and configure the following values.
Note
If you have selected the
Traditional Web Application
template for application creation, the following values should have already been set properly. Otherwise, verify and update the values.Allowed Grant Types Select the following grant type: - Code
Authorization Redirect URLs The URLs to which the authorization code is sent upon authentication and where the user is redirected upon logout. http://localhost:3001/api/auth/callback/wso2isAdmin
http://localhost:3001
Allowed Origins Enter the allowed origins. http://localhost:3001
Take note of the
client_id
andclient_secret
generated for your applications. -
Click Update to save your configurations.
User Attribute Configurations
-
Go to the User Attributes tab of the Guardio Insurance Business App.
-
Select
Email
,First Name
,Last Name
, andUsername
attributes. -
Click Update.
API Authorization
- Go to the API Authorization tab and click on + Authorize an API Resource.
-
From the API Resources drop-down select the following APIs listed under the Organization APIs category and add the corresponding Authorized Scopes provided below.
API Resource Authorized Scopes SCIM2 Users API Scopes: - View User
- List User
- Create User
- Update User
- Delete User
SCIM2 Roles API Scopes: - View Role
- Update Role
SCIM2 Groups API Scopes: - View Group
- Update Group
Application Management API Scopes: - View Application
- Update Application
Identity Provider Management API Scopes: - View Identity Provider
- Create Identity Provider
- Update Identity Provider
- Delete Identity Provider
Role Configurations
- Go to the Roles tab.
-
Select Application as Role Audience and click + New Role.
-
Enter the following details:
Field Description Value Role Name Enter a unique name to identify the role. GuardioAdministrator Select API Resource All the API resources added in step 2 will be listed. Add each API resource and check the box to include all permissions (scopes). - SCIM2 Users API
- SCIM2 Roles API
- SCIM2 Groups API
- Application Management API
- Identity Provider Management API
-
Click Create.
Upon successful creation the new application role will displayed under Assigned Roles.
Set up the business application¶
The following guides explain how you can share an application with organizations and allow organization users to log in to it using SSO.
Let's use the sample applications, Guardio Insurance Business application and Guardio Insurance Administrative application, to explore this use case.
Step 1: Register the business app¶
Follow the steps given below to register the Guardio Insurance business applications with Asgardeo.
- Login into the organization(root).
-
Register Traditional Web Applications in your organization (root) with the following settings:
Application Name Add a name for the application. Guardio-Business-App
Protocol The authentication protocol to use. OpenID Connect
Authorized redirect URLs The URLs to which the authorization code is sent upon authentication and where the user is redirected upon logout. http://localhost:3000/api/auth/callback/wso2is
http://localhost:3000
Step 2: Share the application with organizations¶
Share the Guardio-Business-App with your organizations. See instructions on how to share applications with organizations.
When the application is shared with at least one organization, Sign In with SSO will be added as a login option in the application login screen, which organization users can use to log in.
Step 3: Configure the application on Asgardeo¶
To configure the registered application on Asgardeo:
On the Asgardeo Console, go to Applications and select the application you registered.
Protocol Configurations
-
Go to the Protocol tab of the application, and configure the following values.
Note
If you have selected the
Traditional Web Application
template for application creation, the following values should have already been set properly. Otherwise, verify and update the values.Allowed Grant Types Select the following grant type: - Code
Authorization Redirect URLs The URLs to which the authorization code is sent upon authentication and where the user is redirected upon logout. http://localhost:3000/api/auth/callback/wso2is
http://localhost:3000
Allowed Origins Enter the allowed origins. http://localhost:3000
Take note of the
client_id
andclient_secret
generated for your applications. -
Click Update to save your configurations.
User Attribute Configurations
-
Go to the User Attributes tab of the Guardio Insurance Business App.
-
Select
Email
,First Name
,Last Name
, andUsername
attributes. -
Click Update.
Set up the client applications¶
Before you begin
Download the sample b2b applications.
To set up the client applications:
-
Navigate to
b2b-samples/config.json
and update the following parameters:Parameter Description Value CommonConfig.AuthorizationConfig.BaseOrganizationUrl
The base URL of the organization (root). https://api.asgardeo.io/t/{organization-name}
BusinessAppConfig.AuthorizationConfig.ClientId
The client ID of the Guardio-Business-App created on Asgardeo. Client ID copied from Guardio-Business-App in step 3 above. BusinessAppConfig.AuthorizationConfig.ClientSecret
The client secret of the Guardio-Business-App created on Asgardeo. Client secret copied from Guardio-Business-App in step 3 above. BusinessAppConfig.ApplicationConfig.HostedUrl
The URL of the Guardio-Business-App client application. http://localhost:3000
BusinessAppConfig.ApplicationConfig.APIScopes
The scopes required by the Guardio-Business-App application to access user resources. openid
,email
,profile
,internal_login
, etc.BusinessAppConfig.ApplicationConfig.Branding.name
The branding name of your application. Guardio Insurance
BusinessAppConfig.ApplicationConfig.Branding.tag
A branding tagline for your application. Anytime . Anywhere
BusinessAppConfig.ManagementAPIConfig.SharedApplicationName
The application name you used to register the Guardio Business application in Asgardeo. Guardio-Business-App
BusinessAppConfig.ManagementAPIConfig.Userstore
The userstore name where the organization users are managed. DEFAULT
BusinessAdminAppConfig.AuthorizationConfig.ClientId
The client ID of the Guardio-Admin-App created on Asgardeo. Client ID copied from Guardio-Admin-App in step 3 above. BusinessAdminAppConfig.AuthorizationConfig.ClientSecret
The client secret of the Guardio-Admin-App created on Asgardeo. Client secret copied from Guardio-Admin-App in step 3 above. BusinessAdminAppConfig.ApplicationConfig.HostedUrl
The URL of the Guardio-Admin-App client application. http://localhost:3001
BusinessAdminAppConfig.ApplicationConfig.APIScopes
The scopes required by the Guardio-Admin-App to do administrative tasks. openid
,email
,profile
,internal_login
,internal_org_user_mgt_view
,internal_org_user_mgt_list
,internal_org_user_mgt_create
,internal_org_user_mgt_update
, etc.BusinessAdminAppConfig.ApplicationConfig.Branding.name
The branding name of your application. Guardio Insurance - Administrator Application
BusinessAdminAppConfig.ApplicationConfig.Branding.tag
A branding tagline for your application. Administrator Application
-
To start the Guardio Insurance Business App, open a terminal, navigate to the
b2b-sample
folder, and execute the following commands:Note
Ensure that your system meets the specified minimum requirements: - Node version >= v16.16.0 - NPM version >= 8.11.0
npm install
npx nx serve business-app
-
To start the Guardio Insurance Administrative App, open a terminal, navigate to the
b2b-sample
folder, and execute the following commands:npm install
npx nx serve business-admin-app
Try it out¶
The following sections explain how an organization user who has admin privileges of the Guardio Insurance Administrative App logs in and uses the administration portal. Also, this guide explains how other organization users consume the Guardio Insurance Business App.
Try out Sign In with SSO¶
Follow the steps below to see how organization login works for a user in the Best Car Mart organization when logging into Guardio Insurance Business App.
-
Open the application by copying the following URL to your browser:
http://localhost:3001/
-
Click Sign In and see that you are diverted to the Asgardeo login screen.
-
Click Sign In with SSO to specify the organization to which you are signing in.
-
Enter Best Car Mart as the organization name and click Submit.
-
Enter the username and password of a user whom you have onboarded to Best Car Mart.
-
Click Sign in and grant permission for the application to use.
You have successfully logged into the Guardio Insurance Administrative App as a user of the Best Car Mart organization.
Try out the administration portal¶
Note
Learn how to build an administration portal for your B2B application in the implement an administration portal section.
Best Car Mart needs to manage its employees through an external IdP. As the administrator of Best Car Mart, Alex is tasked with enabling login from the external IdP for Best Car Mart employees.
To configure an identity provider for Guardio Insurance Business App:
-
Log in to the application with the credentials of Alex.
-
On the application, go to Settings > Identity Providers and click Add Identity Provider.
-
Select Google if you are onboarding a Google IdP or Enterprise if you are onboarding an enterprise IdP.
Note
Make sure that the configured IdP will share the
Email
,First Name
,Last Name
, andUsername
attributes of the authenticating user with Asgardeo. -
Provide the details specific to your IdP and click Create.
-
Click Add to login flow to enable this IdP as the login option for Best Car Mart users in the application.
-
Open the Guardio Insurance Business App by copying the following URL to your browser:
http://localhost:3000/
. -
Log in to the business application through the SSO option. Now, the users in the configured external IdP can be logged into the application.
Step 2: Onboard an organization administrator¶
As an administrator in Guardio insurance, now you can onboard administrators from Best Car Mart to the created organization.
To do so, follow the sales-led approach and create an administrator using the values given below.
-
Create the user with the following values.
Username (Email) Enter an email address as the username. First Name Enter the first name of the user. Alex
Last Name Enter the last name of the user. Doe
Password Set a temporary password for the user or invite user to set the password. -
Assign the created user to the Guardio Administrator role of the shared Guardio-Admin-App application.