Add federated login¶

WSO2 Identity Server lets you add and configure external Identity Providers (IdP) so that users can bring their identities in these external IdPs and log in to applications. Follow the guides below to learn how you can integrate the external IdP of your choice with WSO2 Identity Server.

Create a connection¶

You can register an external IdP in WSO2 Identity Server by creating a connection. WSO2 Identity Server supports a variety of connections for your convenience. Select your preferred connection and follow the guide to learn how to configure it.

IWA

X

OpenID Connect

SAML

WS-Federation

Configure JIT provisioning¶

JIT user provisioning

When a user logs in with an external identity provider using the same email address registered in a local account, JIT-provisioning overrides the attributes of the local account with the attributes received from the external identity provider.

WSO2 Identity Server, by default, disables Just-In-Time (JIT) user provisioning for your external identity provider.

To enable JIT-provisioning,

On the WSO2 Identity Server Console, click Connections and select the relevant connection.
Go to the Just-in-Time Provisioning tab of the selected connection.
Check/Uncheck the Just-in-Time (JIT) User Provisioning checkbox to enable/disable it.
Click Update to save the changes.

Note

Learn more about JIT provisioning configurations in configure JIT user provisioning.
You can use the identity provider APIs to customize the attribute syncing behavior between the external identity provider and WSO2 Identity Server.

Map groups with WSO2 Identity Server¶

Map local attributes to external attributes¶

Follow the steps below to map attributes of WSO2 Identity Server with that of a connection.

On the WSO2 Identity Server Console, go to Connections.
Select your connection and go to its Attributes tab.
Click Add Attribute Mapping to add a new attribute mapping.
Enter the External IdP Attribute of the connection and map it to the Groups attribute of WSO2 Identity Server.
Click Add Attribute Mapping and then click Save.
Click Update to save the changes.

Add required attributes for provisioning¶

When provisioning users from an external identity provider (IdP), you may want to include specific attributes in the user’s profile. Follow the steps below to define the required attributes and assign default values.

On the WSO2 Identity Server Console, go to Connections.
Select your connection and go to its Attributes tab.
Under Provisioning Attributes Selection, click Add Attribute.
Move the attributes that you want to include in the provisioned user's profile and click Save.
Add a default value to the attribute. If the federated user lacks data for it, the system adds the default to the provisioned user’s profile.
Note

To add default values to the provisioned user’s profile when the federated user has no value, configure the following in the <IS_HOME>/repository/conf/deployment.toml file.
```
[authentication.endpoint]
enable_merging_custom_claim_mappings_with_default = true
```

Add groups to connections¶

Follow the steps below to add the groups from your connection to WSO2 Identity Server:

On the WSO2 Identity Server Console, go to Connections.
Select your connection and go to its Groups tab.
Click New Group and enter the group name. Be sure to enter the exact group name that will be returned from the connection.
Click Finish to add the group information.

Configure home realm identifier¶

The home realm identifier is a unique value that identifies a connection when routing users directly to a specific external IdP during login. When a user initiates login, your application can include this identifier as the fidp query parameter in the authorization request, which causes WSO2 Identity Server to skip the login page and route the user directly to the specified external IdP.

To configure the home realm identifier:

On the WSO2 Identity Server Console, click Connections and select the relevant connection.
Go to the Advanced tab of the selected connection.
Enter a unique identifier in the Home Realm Identifier field.
Click Update to save the changes.

Once configured, use this identifier in your application's authorization request as follows:

https://<host_name>/t/<org_name>/oauth2/authorize?
  response_type=code
  &client_id=<client_id>
  &redirect_uri=<redirect_uri>
  &scope=openid
  &fidp=<home_realm_identifier>

Note

When the fidp parameter is provided, WSO2 Identity Server bypasses the login page and directly initiates the authentication flow with the matching external IdP.

Delete a connection¶

Before you begin

If your connection has applications associated with it, you will not be able to delete the connection.

Before deleting such connections:

Check the associated applications from the Connected Apps tab of the connection.
Click on an application that uses the connection and you will be redirected to the Login Flow tab of the respective application.
Remove the connection from the sign-in flow of the associated applications.
Repeat steps 2 and 3 for all listed applications.
Proceed to delete the connection.

To delete a connection:

On the WSO2 Identity Server Console, go to Connections.
Click Set up and navigate to the General tab.
At the bottom of the page, click the button in the Delete connection.

Note
You cannot delete connections that are available by default.
Select the checkbox and confirm your action.