apim
2016/05/26
26 May, 2016

[Article] The Benefits of Integrating WSO2 Identity Server with WSO2 API Manager

  • Pubudu D.P
  • Senior Software Engineer - QA Team - WSO2
Archived Content
This article is provided for historical perspective only, and may not reflect current conditions. Please refer to relevant product page for more up-to-date product information and resources.

Introduction

WSO2 API Manager is a fully-fledged solution for API management requirements. API creation, publishing, subscription management, and throttling are some of its key functionalities. WSO2 API Manager mainly consists of four components known as Gateway, Key Manager, Publisher, and Store. API Publisher is where the API developers develop and manage their work in progress. Once the development is completed, these APIs are published to the API Store. Usually, the API Store attracts application developers who need to consume the APIs.

On the other hand, WSO2 Identity Server is an award-winning identity access management solution with a wide range of functionalities. Role-based access control, attribute-based access control, fine-grained policy-based access control, and single sign-on are among some of its key features. WSO2 Identity Server 5.0.0 was released with identity bus capabilities, which means you can use the product as an Identity federation bus across all applications. For example, if the application requires a SAML2 token, but the user wants to sign in using OpenID, WSO2 Identity Server is capable of transforming and mediating this type of authentication flow.

By integrating these two products, many security scenarios could be implemented. In this article, we will discuss some of the common use cases and advantages of each implementation.


Why WSO2 Identity Server?

WSO2 API Manager and WSO2 Identity Server are both developed on top of the WSO2 Carbon platform. Therefore, these two products are architecturally similar. What this means is that WSO2 API Manager can be seamlessly integrated with WSO2 Identity Server compared with other available identity access management (IAM) solutions in the market. This does not mean you cannot integrate WSO2 API Manager with other existing IAM solutions, rather it’s easier to integrate these two products as both have been built using the same platform.

WSO2 Identity Server has been designed to be easily integrated with other WSO2 products. Hence it’s shipped with many features that compliment various security scenarios, which in turn could be achieved by integrating with other WSO2 products. Specifically, when it comes to WSO2 API Manager, WSO2 Identity Server supports many security use cases at different levels where users cannot implement by using a single IAM solution.

One of the most exciting features you can leverage by integrating WSO2 API Manager with WSO2 Identity Server is the capacity of the identity server to provide enterprise service bus features. The idea behind an enterprise identity bus is to provide a facility to connect various security protocols being used by heterogeneous platforms. In the real world, it might often become a requirement to integrate or communicate between these heterogeneous systems. One of the bottlenecks of this requirement is deciding how to manage the identities using different standards being used by these systems. The solution to this problem is an enterprise identity bus. WSO2 Identity Server allows you to mediate between different security protocols and integrate these heterogeneous systems. More information about this concept can be found here.

WSO2 Identity Server supports WSO2 API Manager in many ways; serving as the key manager, providing single sign-on with SAML 2.0 standards, managing user identities via social logins, and fine-grained authorization with XACML are some of the commonly identified use cases of integrating WSO2 API Manager and WSO2 Identity Server. Let’s take a look at some of these use cases and identify the benefits offered by each approach.


Using WSO2 Identity Server as Key Manager

This is probably the most common use case of integrating WSO2 API Manager and WSO2 Identity Server. The basic idea behind this concept is to use WSO2 Identity Server to handle security and access token-related actions.

In a distributed setup, once a subscriber generates an API token in the API Manager Store for a particular application, the Store makes a call to the API Gateway. Then the API Gateway communicates with the Key Manager to generate an OAuth app and creates an access token. When the subscriber invokes this API, the API Gateway will call the Key Manager and validate the token prior to serving the request. Let’s take a look at the architecture of this implementation.

Figure 1

Advantages of using identity server as Key Manager:

  • Decouples the operations for creating OAuth applications token validation.
  • Increases flexibility in terms of organizational security policies to integrate with the API manager.
  • Allows the user to consume identity server-specific authentication/authorization features as well as enterprise identity bus features when used as Key Manager. Refer to this article to find out some of the key benefits of using this enterprise identity bus model.
  • If you already have an identity server instance running, you can use the same as Key Manager in API manager deployment (central location to manage identity-related operations).
  • Still allows Token API operations in an API manager distributed setup even though identity server is being used as the Key Manager.
  • Supports features such as SAML, XACML, and Social Logins (further details are discussed later in this article about each of these features).

Single sign-on across developer portal (SAML)

WSO2 API Manager consists of two main components known as Publisher and Store. It is often required by the users of the Publisher component to access the Store as well. Since these two are different applications, users who are signed into the Publisher application are required to separately login to the Store component if they need to access Store features.

By using the single sign-on (SSO) feature, these users are facilitated to log in to one application and then gain access to other related applications without having to sign in separately.

This feature uses SAML2 browser based SSO functionality supported by WSO2 Identity Server. WSO2 Identity Server acts as an identity provider to authorize the Publisher and Store applications to enable SSO. To achieve this task, you need to integrate WSO2 API Manager with WSO2 Identity Server, and register Publisher and Store applications as Service Providers within the identity server. These applications will then communicate with the identity server using SAML tokens via an assertion consumer URL. In order to implement SSO across a number of apps that are registered as Service Providers in the identity server, it is required to have a shared user store among these applications. More information on this configuration is available here.

Figure 2

Advantages of SSO:

  • Provides a single identity for a particular user among interrelated heterogeneous applications.
  • Simplifies administration tasks, such as user provisioning/de-provisioning activities.
  • Auditing and usage analysis can be clearly carried out across different applications.
  • Improved usability by allowing users to log in once and providing access to multiple applications.

Social login for developer’s portal

Social logins are being widely used in applications these days. The use of social logins has increased mainly because users often dislike going through the sign-up process. Social logins addresses this by providing third-party APIs to take care of the authentication/authorization process. On the other hand, some users are reluctant to provide their personal information when signing up on a website/application. However, by using the social logins, this issue can be overcome because all user information is stored on third-party service providers that users rely on.

WSO2 API Manager supports social logins side-by-side with SSO functionality. For example, instead of going through the self-signup process, users can simply use Facebook or Google login to sign into the Publisher/Store applications at once. This article explains how you can set up Facebook login with WSO2 API Manager by using WSO2 Identity Server. Configuration of Google login set up could be found here. Figure 3 below explains this authentication/authorization flow that was explained above.

Figure 3

Access token of the Facebook app is stored in the identity server within an identity provider. Publisher and Store apps are registered in the identity server as service providers. By using the Facebook access token, users are authenticated to login via their Facebook credentials.

Advantages of the Social Login feature:

  • Improves usability and simplicity of the signup/login process.
  • Reduces the possibility of users creating fake profiles as, most time, the social logins usually store authentic user information.
  • Make use of social data gathered with user permission.
  • Engages a larger userbase as most of the social media platforms have a large number of users.

Fine-grained authorization for APIs (XACML)

WSO2 API Manager and WSO2 Identity Server integration enables you to authorize APIs using XACML-based authorization policies. This is also known as content-based access control. As explained above, the identity server can be used as a Key Manager in an API manager distributed setup. Since the identity server is also supports XACML policies, you can use the identity server as a XACML engine to provide fine-grained authorization for your APIs by defining your customized policies.

Figure 4

As displayed in figure 4 above, the user first invokes a backend service hosted in WSO2 API Manager via an application. Then the user is authenticated via an OAuth authorization server (WSO2 Identity Server), which plays the role of PEP, validated against inbuilt XACML PDP with an access token. Then the application will request the backend services from the API manager using the access token provided. The API manager (another PEP) will then authorize the application against XACML PDP and respond to the client with requested resources.

Advantages of fine-grained authorization:

  • More flexibility in changing authorization logics.
  • Independent of the legacy systems and no source code changes required to define authorization policies.
  • Improved reusability of the policies.
  • Defining custom authorization rules is a straightforward process.

Conclusion

In this article, we discussed some advanced security implementations powered by WSO2 Identity Server. WSO2 Identity Server complements WSO2 API Manager in terms of various security protocols being used in many organizations, such as SAML, XACML, social features as well as Key Management of WSO2 API Manager. The integration of WSO2 Identity Server with API Manager is highly recommended because the identity server can be used with the above scenarios as well as many other implementations depending on user requirements due to its flexibility. WSO2 Identity Server’s enterprise Identity Bus features can also be used once integrated with WSO2 API Manager.


Resources

 

About Author

  • Pubudu D.P
  • Senior Software Engineer - QA Team
  • WSO2