SSO for WSO2 APIM via windows authentication

Integrated Windows Authentication (IWA) is a popular authentication mechanism that is used to authenticate users in Microsoft Windows servers. It uses Negotiate/Kerberos or NTLM to authenticate users based on an encrypted ticket/message passed between a browser and a server.

The following steps have to be carried out to enable SSO for WSO2 APIM viva windows authentication and the below diagram will illustrate the overall idea of IDPs and SPs that need to configure in APIM and IS_KM.

SAML SSO Configuration

• Create a Service Provider in IS_KM named “apim” and configured SAML2 Web SSO Configuration under Inbound Authentication Configuration as mentioned in the document [1].
• Create an Identity provider in APIM named “is” and configured SAML2 Web SSO Configuration under Federated Authenticators by following the steps in document [2].
• Configure is IDP as a Federated Authentication under Local & Outbound Authentication Configuration of “apim_devportal” and “apim_publisher” service providers.

The above three steps will enable SAML-based single sign-on between IS_KM and APIM. Before moving to the next steps please verify whether SAML-based SSO has been successfully enabled. If it has been successfully enabled then, please follow the following steps to enable windows authentication.

IWA Configuration

• Create another Identity Provider named “IWA” and configured IWA Kerberos Configuration under the Federated Authenticators as mentioned in the document [3].
• Within the “apim” service provider that we created in the second step, configure the IWA IDP as a Federated Authentication under Local & Outbound Authentication Configuration.
• Configure the browser to use the IWA authentication properly. You have to enable the Kerberos flow in your browser and please follow the steps mentioned in the document [4] (6th step in document [4]) based on your browser type.

when you are using windows authentication, AD users should be added to the user store of IS_KM. Because since APIM 3.0 if the user needs to access an APIM devportal that user should obtain an access token with apim:subscribe scope. In order to obtain access token with apim:subscribe scope the user should have the internal Internal/subscriber role or one of the user’s existing roles should be mentioned under apim:subscribe scope.

Therefore since the AD user should have roles to access APIM devportal and publisher we have to add the relevant users manually to a primary or secondary user store of IS_KM with their permissions. Then we have to give this user store domain name within the IDP that we created under step 1 of IWA configuration. Then IS_KM will check the presence of that user in the given user store.

[1] https://apim.docs.wso2.com/en/3.0.0/learn/extensions/saml2-sso/configuring-identity-server-as-idp-for-sso/#configuring-wso2-api-manager-as-service-provider-for-identity-server

[2] https://apim.docs.wso2.com/en/3.0.0/learn/extensions/saml2-sso/configuring-identity-server-as-idp-for-sso/#configuring-wso2-identity-server-as-a-saml-20-sso-identity-provider

[3] https://is.docs.wso2.com/en/latest/learn/configuring-iwa-on-linux/#setting-up-iwa

[4] https://is.docs.wso2.com/en/latest/learn/configuring-iwa-on-linux/#configuring-wso2-is-with-iwa-as-a-local-or-federated-authenticator