Admin Services for Service Provider Configurations in WSO2 Identity Server
SOAP web services are used internally in all WSO2 products. These services are commonly known as admin services. This blog post will guide you on how to call back-end web services directly to configure a service provider in WSO2 Identity Server. If you are interested in using the user-friendly management console (web-based user interface), rather than directly accessing the SOAP API, check here.
Before we move on to the configurations, let’s simply see what is a service provider. A service provider is an entity that provides web services. For authentication and authorization requirements, a service provider heavily relies on a trusted identity provider such as WSO2 Identity Server. Let’s dive in to get started with directly accessing back-end web services :)
Pre-requisites:
Download the latest WSO2 Identity Server from here. For details on running the Identity Server, see Running the Product.
Step 01:
By default, admin services are hidden from consumers. To unhide the WSDLs (Web Services Description Language) of admin services, do the following property change at <IS_HOME>/repository/conf/carbon.xml
<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>Step 02:
Start the server using the OSGi console.
- For Windows user:
wso2server.bat --run -DosgiConsole
2. For Linux user:
sh wso2server.sh -DosgiConsole
At server start completion, press the enter key to get the OSGi console. Type 'listAdminServices’ to obtain a list of all the available admin services.
Step 03:
To check if the admin services are enabled properly, select an admin service URL from the list and paste in your browser with ?wsdl at the end. An example is given below.
https://localhost:9443/services/OAuthAdminService?wsdlYou will be able to see the service contract of the admin service.
Step 04:
Let’s test the admin services using SoapUI. Download and install SoapUI from here.
We will be using OAuthAdminService to create and configure a service provider with OAuth/OpenID Connect.
Create a new project by navigating to File -> New SOAP Project. For initial WSDL, paste the wsdl url for OAuthAdminService.
https://localhost:9443/services/OAuthAdminService?wsdl
Step 05:
You will be able to see the available admin service methods in the left side of SoapUI window. Please note that to send a request to any of these methods, it is required to provide the authentication setting. Let’s use basic authorization to send the admin credentials. To do this click on Auth -> Add New Authorization -> Basic. Provide default admin credentials (admin as both the username and password).
Step 06:
Let’s register an OAuth Application by calling registerOAuthApplicationData() .
A sample request is given below. Replace the application name, grant types and callback url according to your preferences.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.oauth.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:registerOAuthApplicationData>
<!--Optional:-->
<xsd:application>
<!--Optional:-->
<xsd1:OAuthVersion>Oauth-2.0</xsd1:OAuthVersion>
<!--Optional:-->
<xsd1:applicationName>sampleapp1</xsd1:applicationName>
<!--Optional:-->
<xsd1:callbackUrl>http://localhost:8080/playground/oauth2client</xsd1:callbackUrl>
<!--Optional:-->
<xsd1:grantTypes>authorization_code implicit password client_credentials refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer iwa:ntlm</xsd1:grantTypes>
</xsd:application>
</xsd:registerOAuthApplicationData>
</soapenv:Body>
</soapenv:Envelope>Response:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:registerOAuthApplicationDataResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</ns:registerOAuthApplicationDataResponse>
</soapenv:Body>
</soapenv:Envelope>
Congratulations!! You have successfully created a service provider with OAuth/OpenID Connect configuration.
Step 07:
If you want to obtain the consumer key and consumer secret of the newly created OAuth app, send a request to getOAuthApplicationDataByAppName().
Sample request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:getOAuthApplicationDataByAppName>
<!--Optional:-->
<xsd:appName>sampleapp1</xsd:appName>
</xsd:getOAuthApplicationDataByAppName>
</soapenv:Body>
</soapenv:Envelope>Response:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:getOAuthApplicationDataByAppNameResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:type="ax2402:OAuthConsumerAppDTO" xmlns:ax2399="http://base.identity.carbon.wso2.org/xsd" xmlns:ax2402="http://dto.oauth.identity.carbon.wso2.org/xsd" xmlns:ax2398="http://oauth.identity.carbon.wso2.org/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2402:OAuthVersion>Oauth-2.0</ax2402:OAuthVersion>
<ax2402:applicationAccessTokenExpiryTime>0</ax2402:applicationAccessTokenExpiryTime>
<ax2402:applicationName>sampleapp1</ax2402:applicationName>
<ax2402:backChannelLogoutUrl xsi:nil="true"/>
<ax2402:bypassClientCredentials>false</ax2402:bypassClientCredentials>
<ax2402:callbackUrl>http://localhost:8080/playground/oauth2client</ax2402:callbackUrl>
<ax2402:frontchannelLogoutUrl xsi:nil="true"/>
<ax2402:grantTypes/>
<ax2402:idTokenEncryptionAlgorithm>null</ax2402:idTokenEncryptionAlgorithm>
<ax2402:idTokenEncryptionEnabled>false</ax2402:idTokenEncryptionEnabled>
<ax2402:idTokenEncryptionMethod>null</ax2402:idTokenEncryptionMethod>
<ax2402:idTokenExpiryTime>0</ax2402:idTokenExpiryTime>
<ax2402:oauthConsumerKey>4MA8JtppsB66Ka8PqS22l1MV3xMa</ax2402:oauthConsumerKey>
<ax2402:oauthConsumerSecret>umtZKzRL_4lAJvv2StTNSGULwXQa</ax2402:oauthConsumerSecret>
<ax2402:pkceMandatory>false</ax2402:pkceMandatory>
<ax2402:pkceSupportPlain>false</ax2402:pkceSupportPlain>
<ax2402:refreshTokenExpiryTime>0</ax2402:refreshTokenExpiryTime>
<ax2402:renewRefreshTokenEnabled xsi:nil="true"/>
<ax2402:requestObjectSignatureValidationEnabled>false</ax2402:requestObjectSignatureValidationEnabled>
<ax2402:state xsi:nil="true"/>
<ax2402:tokenType xsi:nil="true"/>
<ax2402:userAccessTokenExpiryTime>0</ax2402:userAccessTokenExpiryTime>
<ax2402:username>admin@carbon.super</ax2402:username>
</ns:return>
</ns:getOAuthApplicationDataByAppNameResponse>
</soapenv:Body>
</soapenv:Envelope>However if you log into management console and navigate to Main -> Identity -> Service Providers -> List , the newly created service provider with OAuth configuration is not visible. If you want to observe a service provider created using admin services in the UI, the steps to be followed are different. Now let’s try out the procedure to do this.
Generating a service provider in the management console via admin services.
Step 01:
Create a new SOAP project. For initial WSDL, paste the wsdl url for IdentityApplicationManagementService.
https://localhost:9443/services/IdentityApplicationManagementService?wsdlStep 02:
Send a request to createApplication().
Sample request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://model.common.application.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:createApplication>
<xsd:serviceProvider>
<xsd1:applicationName>sampleapp2</xsd1:applicationName>
</xsd:serviceProvider>
</xsd:createApplication>
</soapenv:Body>
</soapenv:Envelope>Response:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:createApplicationResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</ns:createApplicationResponse>
</soapenv:Body>
</soapenv:Envelope>Step 03:
Navigate to the previously created SOAP project for OAuthAdminService and send a request to registerOAuthApplicationData() service method.
Carefully observe the sample request given below and the replace information such as the application name, consumer key, consumer secret, grant types and callback url to match your needs.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.oauth.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:registerOAuthApplicationData>
<!--Optional:-->
<xsd:application>
<!--Optional:-->
<xsd1:OAuthVersion>OAuth-2.0</xsd1:OAuthVersion>
<!--Optional:-->
<xsd1:applicationName>sampleapp3</xsd1:applicationName>
<!--Optional:-->
<xsd1:callbackUrl>http://localhost.com:8080/pickup-manager2/oauth2client</xsd1:callbackUrl>
<!--Optional:-->
<xsd1:grantTypes>refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer implicit password client_credentials iwa:ntlm authorization_code</xsd1:grantTypes>
<!--Optional:-->
<xsd1:oauthConsumerKey>e3dpZnRhcHA=</xsd1:oauthConsumerKey>
<!--Optional:-->
<xsd1:oauthConsumerSecret>e3dpZnRhcHAxMjM=</xsd1:oauthConsumerSecret>
<!--Optional:-->
<xsd1:pkceMandatory>false</xsd1:pkceMandatory>
</xsd:application>
</xsd:registerOAuthApplicationData>
</soapenv:Body>
</soapenv:Envelope>Response:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:registerOAuthApplicationDataResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</ns:registerOAuthApplicationDataResponse>
</soapenv:Body>
</soapenv:Envelope>Step 04:
Navigate again to IdentityApplicationManagementService SOAP project and call getApplication().
Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:getApplication>
<!--Optional:-->
<xsd:applicationName>sampleapp2</xsd:applicationName>
</xsd:getApplication>
</soapenv:Body>
</soapenv:Envelope>In the response you will obtain an application ID. Take a note of this as we will be needing this ID for the next step.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:getApplicationResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:type="ax2171:ServiceProvider" xmlns:ax2171="http://model.common.application.identity.carbon.wso2.org/xsd" xmlns:ax2169="http://common.application.identity.carbon.wso2.org/xsd" xmlns:ax2172="http://script.model.common.application.identity.carbon.wso2.org/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2171:applicationID>7</ax2171:applicationID>
<ax2171:applicationName>sampleapp2</ax2171:applicationName>
<ax2171:certificateContent xsi:nil="true"/>
<ax2171:claimConfig xsi:type="ax2171:ClaimConfig">
<ax2171:alwaysSendMappedLocalSubjectId>false</ax2171:alwaysSendMappedLocalSubjectId>
<ax2171:localClaimDialect>true</ax2171:localClaimDialect>
<ax2171:roleClaimURI xsi:nil="true"/>
<ax2171:userClaimURI xsi:nil="true"/>
</ax2171:claimConfig>
<ax2171:description xsi:nil="true"/>
<ax2171:inboundAuthenticationConfig xsi:type="ax2171:InboundAuthenticationConfig"/>
<ax2171:inboundProvisioningConfig xsi:type="ax2171:InboundProvisioningConfig">
<ax2171:dumbMode>false</ax2171:dumbMode>
<ax2171:provisioningEnabled>false</ax2171:provisioningEnabled>
<ax2171:provisioningUserStore xsi:nil="true"/>
</ax2171:inboundProvisioningConfig>
<ax2171:localAndOutBoundAuthenticationConfig xsi:type="ax2171:LocalAndOutboundAuthenticationConfig">
<ax2171:alwaysSendBackAuthenticatedListOfIdPs>false</ax2171:alwaysSendBackAuthenticatedListOfIdPs>
<ax2171:authenticationScriptConfig xsi:nil="true"/>
<ax2171:authenticationStepForAttributes xsi:nil="true"/>
<ax2171:authenticationStepForSubject xsi:nil="true"/>
<ax2171:authenticationType>default</ax2171:authenticationType>
<ax2171:enableAuthorization>false</ax2171:enableAuthorization>
<ax2171:subjectClaimUri xsi:nil="true"/>
<ax2171:useTenantDomainInLocalSubjectIdentifier>false</ax2171:useTenantDomainInLocalSubjectIdentifier>
<ax2171:useUserstoreDomainInLocalSubjectIdentifier>false</ax2171:useUserstoreDomainInLocalSubjectIdentifier>
<ax2171:useUserstoreDomainInRoles>true</ax2171:useUserstoreDomainInRoles>
</ax2171:localAndOutBoundAuthenticationConfig>
<ax2171:outboundProvisioningConfig xsi:type="ax2171:OutboundProvisioningConfig">
<ax2171:provisionByRoleList xsi:nil="true"/>
</ax2171:outboundProvisioningConfig>
<ax2171:owner xsi:type="ax2171:User">
<ax2171:tenantDomain>carbon.super</ax2171:tenantDomain>
<ax2171:userName>admin</ax2171:userName>
<ax2171:userStoreDomain>PRIMARY</ax2171:userStoreDomain>
</ax2171:owner>
<ax2171:permissionAndRoleConfig xsi:type="ax2171:PermissionsAndRoleConfig"/>
<ax2171:saasApp>false</ax2171:saasApp>
<ax2171:spProperties xsi:type="ax2171:ServiceProviderProperty">
<ax2171:displayName>DOMAIN_IN_ROLES</ax2171:displayName>
<ax2171:name>USE_DOMAIN_IN_ROLES</ax2171:name>
<ax2171:value>true</ax2171:value>
</ax2171:spProperties>
</ns:return>
</ns:getApplicationResponse>
</soapenv:Body>
</soapenv:Envelope>Step 05:
Call updateApplication().
In the sample request given below pay attention to replace information such as application ID, application name and any other relevant properties matching your requirements. Note that inboundAuthKey represents the consumer key.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://model.common.application.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:updateApplication>
<!--Optional:-->
<xsd:serviceProvider>
<!--Optional:-->
<xsd1:applicationID>7</xsd1:applicationID>
<!--Optional:-->
<xsd1:applicationName>sampleapp2</xsd1:applicationName>
<!--Optional:-->
<xsd1:claimConfig>
<!--Optional:-->
<xsd1:alwaysSendMappedLocalSubjectId>false</xsd1:alwaysSendMappedLocalSubjectId>
<!--Optional:-->
<xsd1:localClaimDialect>true</xsd1:localClaimDialect>
</xsd1:claimConfig>
<!--Optional:-->
<xsd1:description>sample service provider to demo admin services</xsd1:description>
<!--Optional:-->
<xsd1:inboundAuthenticationConfig>
<!--Zero or more repetitions:-->
<xsd1:inboundAuthenticationRequestConfigs>
<!--Optional:-->
<xsd1:inboundAuthKey>e3dpZnRhcHA=</xsd1:inboundAuthKey>
<!--Optional:-->
<xsd1:inboundAuthType>oauth2</xsd1:inboundAuthType>
<!--Zero or more repetitions:-->
<xsd1:properties>
<!--Optional:-->
<xsd1:advanced>false</xsd1:advanced>
<!--Optional:-->
<xsd1:confidential>false</xsd1:confidential>
<!--Optional:-->
<xsd1:defaultValue></xsd1:defaultValue>
<!--Optional:-->
<xsd1:description></xsd1:description>
<!--Optional:-->
<xsd1:displayName></xsd1:displayName>
<!--Optional:-->
<xsd1:name>oauthConsumerSecret</xsd1:name>
<!--Optional:-->
<xsd1:required>false</xsd1:required>
<!--Optional:-->
<xsd1:type></xsd1:type>
<!--Optional:-->
<xsd1:value>e3dpZnRhcHAxMjM=</xsd1:value>
</xsd1:properties>
</xsd1:inboundAuthenticationRequestConfigs>
</xsd1:inboundAuthenticationConfig>
<!--Optional:-->
<xsd1:inboundProvisioningConfig>
<!--Optional:-->
<xsd1:provisioningEnabled>false</xsd1:provisioningEnabled>
<!--Optional:-->
<xsd1:provisioningUserStore>PRIMARY</xsd1:provisioningUserStore>
</xsd1:inboundProvisioningConfig>
<!--Optional:-->
<xsd1:localAndOutBoundAuthenticationConfig>
<!--Optional:-->
<xsd1:alwaysSendBackAuthenticatedListOfIdPs>false</xsd1:alwaysSendBackAuthenticatedListOfIdPs>
<!--Optional:-->
<xsd1:authenticationStepForAttributes></xsd1:authenticationStepForAttributes>
<!--Optional:-->
<xsd1:authenticationStepForSubject></xsd1:authenticationStepForSubject>
<xsd1:authenticationType>default</xsd1:authenticationType>
<!--Optional:-->
<xsd1:subjectClaimUri>http://wso2.org/claims/lastname</xsd1:subjectClaimUri>
</xsd1:localAndOutBoundAuthenticationConfig>
<!--Optional:-->
<xsd1:outboundProvisioningConfig>
<!--Zero or more repetitions:-->
<xsd1:provisionByRoleList></xsd1:provisionByRoleList>
</xsd1:outboundProvisioningConfig>
<!--Optional:-->
<xsd1:permissionAndRoleConfig></xsd1:permissionAndRoleConfig>
<!--Optional:-->
<xsd1:saasApp>false</xsd1:saasApp>
</xsd:serviceProvider>
</xsd:updateApplication>
</soapenv:Body>
</soapenv:Envelope>Response:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:updateApplicationResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</ns:updateApplicationResponse>
</soapenv:Body>
</soapenv:Envelope>Now if you log into the management console and view the list of service providers, you will be able to see ‘sampleapp2’ service provider with OAuth/OpenID Connect configuration :)
I’ve shown how to configure OAuth/OpenID Connect in a service provider application. Find more about other configurations such as using WS-Federation and SAML2 here.