Self-service approach¶
Self-service approach empowers organizations to take control of the onboarding process by enabling organizations to create their own organizations and onboard administrators. The root organization may facilitate this through a self-service portal built using the WSO2 Identity Server APIs.
The following guides explain how you may create a self-service portal for your business.
Prerequisite
Create an administrator role in the root organization that provides authorization for organization APIs. To share it with organizations, ensure that it is associated with the B2B application shared with the relavent organization.
Set up the self-service portal¶
Follow the steps below to set up the application that acts as the self-service portal.
-
Create a standard based application selecting OAuth2.0/OpenID Connect as the protocol.
-
Select the application, go to its Shared Access tab and select Share with all organizations.
-
Go to the Protocol tab of the application and enable the following grant types
- Client Credential
- Organization Switch
-
Click Update to save the changes.
Note
Take note of the application's Client ID and Client Secret which will be required later.
Get an access token¶
To invoke the required APIs, the self-service application should receive an access token. Follow the steps below to receive an access token.
-
Provide authorization for the self-service application to consume the necessary APIs. To do so,
-
On the WSO2 Identity Server Console, go to Applications and select your self-service application.
-
In its API Authorization tab, grant the application authorization to the following scopes.
API Category API Scopes Management API Organization Management API
/api/server/v1/organizations
- Create Organizations
- View Organizations
Organization API SCIM2 Roles API
/o/scim2/Roles
- Update Role
- View Role
Organization API Application Management API
/o/api/server/v1/applications
- View Application
Organization API SCIM2 Users API*
/o/scim2/Users
- Create User
- List Users
Management API SCIM2 Users API**
/scim2/Users
- Create User
- View User
Note
* Only required if your admins are maintained within the organization. ** Only required if your admins are maintained in the root organization.
-
-
Get an access token for the self-service application using the following command.
curl -X POST https://localhost:9443/oauth2/token \ -u '<client_id>:<client_secret>' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=client_credentials&scope=internal_org_role_mgt_view internal_org_role_mgt_update internal_org_user_mgt_create internal_org_user_mgt_list internal_org_application_mgt_view internal_organization_view internal_organization_create internal_user_mgt_view internal_user_mgt_create'
Note
The access token expiration time is set to
3600
seconds by default. If you wish to modify this duration, you can do so in the Protocol section of the application.
Maintain organization admins¶
With self-service, you have the following two options to maintain administrators. Follow the appropriate guide that applies to your use case.
Maintain admins within the organization¶
By maintaining admins in the respective organizations, you can create an isolation between each organization as each admin is only authorized to manage a single organization. This approach is suitable when you want organizations to govern themselves with minimal interaction from the root organization. Additionally, this approach helps you maintain a separation between your B2C users (whose accounts exist in the root organization) and B2B users (whose accounts exist in the child organizations).
Warning
If a user wants to create multiple organizations, they will need to register a new account for each organization so that they will have separate identities for each organization.
To create and maintain admins in the organization:
-
Use the following command to check if the name of the organization you wish to create is available.
curl --location 'https://localhost:9443/api/server/v1/organizations/check-name' \ --header 'Authorization: Bearer <access token>' \ --header 'Content-Type: application/json' \ --data '{"name": "<organization name>"}'
Note
If the organization name is available for use, the response will be
"available": true
, or it will be"available": false
. -
If the required organization name is available for use, use the following command to create the organization.
curl --location 'https://localhost:9443/api/server/v1/organizations' \ --header 'Authorization: Bearer <access token>' \ --header 'Content-Type: application/json' \ --data '{"name": "<organization name>"}'
Note
Take note of the
id
parameter in the response. This is the ID of the organization and you will need it later. -
Get an access token for the created organization by exchanging the access token obtained for the root organization. Use credentials of the shared OAuth2 application to execute the command.
Note
Learn more about the organization switch grant.
curl -X POST https://localhost:9443/oauth2/token \ -u '<client_id>:<client_secret>' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=organization_switch&token=<access token obtained for root organization>&switching_organization=<id of created organization>&scope=internal_org_role_mgt_view internal_org_role_mgt_update internal_org_user_mgt_create internal_org_user_mgt_list internal_org_application_mgt_view'
-
Create a user in the organization using the following command.
curl --location 'https://localhost:9443/o/scim2/Users' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer <token obtained in step 3>' \ --data-raw '{ "emails": [ { "primary": true, "value": "<customer-email>" } ], "name": { "familyName": "<customer-family-name>", "givenName": "<customer-given-name>" }, "userName": "<customer-username>", "urn:scim:wso2:schema": { "askPassword" : "true" } }'
Note
Take note of the
user-id
returned in the response of the above command. -
Use the following command to obtain the
id
of the administrator role associated with the B2B application.curl --location 'https://localhost:9443/o/scim2/v2/Roles?filter=displayName eq <admin-role-name> and audience.value eq <role-audience-value>' \ --header 'Accept: application/json' \ --header 'Authorization: Bearer <access-token-obtained-for-the-organization>'
Find admin-role-name and role-audience-value
Refer to the following details related to the administrator role:
admin-role-name Name of the administrator role associated with your B2B application. role-audience-value If the B2B application's audience is application
, provide the application id. You may use the following command to obtain the application id.curl --location 'https://localhost:9443/o/api/server/v1/applications?filter=name eq <B2B-application-name>' --header 'Authorization: Bearer <access-token-obtained-for-the-organization>'
If the B2B application's audience is
organization
, provide the organization id. Learn more about role audiences in manage roles. -
Assign the user created in step 4 to the administrator role of your B2B application by using the following command.
curl --location --request PATCH 'https://localhost:9443/o/scim2/v2/Roles/{admin-role-id}' \ --header 'Authorization: Bearer <access-token-obtained-for-the-organization>' \ --header 'Content-Type: application/json' \ --data '{ "Operations": [ { "op": "add", "path": "users", "value": [ { "value": "<user-id obtained from step 4>" } ] } ] }'
Maintain admins in the root organization¶
By maintaining organization admins in the root organization, you may enable organization admins to create and manage multiple organizations using a single identity. Organization admins are created and treated as a B2C user within the root organization.
Warning
Since your organization admins are created in the root organization, separating B2B and B2C users will be complex.
To create and maintain admins in the root organization:
-
Create a user in the root organization (root) using WSO2 Identity Server's SCIM APIs.
curl --location 'https://localhost:9443/scim2/Users' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer { access token }' \ --data-raw '{ "emails": [ { "primary": true, "value": "<customer-email>" } ], "name": { "familyName": "<customer-family-name>", "givenName": "<customer-given-name>" }, "userName": "<customer-username>", "urn:scim:wso2:schema": { "askPassword" : "true" } }'
Note
Take note of the
user-id
received in the response of the above command. -
Use the following command to check if the name of the organization you wish to create is available.
curl --location 'https://localhost:9443/api/server/v1/organizations/check-name' \ --header 'Authorization: Bearer <access token>' \ --header 'Content-Type: application/json' \ --data '{"name": "<organization name>"}'
Note
If the organization name is available for use, the response will be
"available": true
, else it will be"available": false
. -
If the required organization name is available for use, use the following command to create the organization and assign the user created in step 1 as the admin of that organization.
curl --location 'https://localhost:9443/api/server/v1/organizations' \ --header 'Authorization: Bearer <access token>' \ --header 'Content-Type: application/json' \ --data-raw '{ "name": "<organization name>", "attributes": [ { "key": "creator.id", "value": "<user-id obtained from step 1>" }, { "key": "creator.username", "value": "<username of the user created in step 1>" } ] }'
-
Get an access token for the created organization by exchanging the access token obtained for the root organization. Use credentials of the shared OAuth2 application to execute the command.
Note
Learn more about the organization switch grant.
curl -X POST https://localhost:9443/oauth2/token \ -u '<client_id>:<client_secret>' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=organization_switch&token=<access token obtained for root organization>&switching_organization=<created organization id>&scope=internal_org_role_mgt_view internal_org_role_mgt_update internal_org_user_mgt_create internal_org_user_mgt_list internal_org_application_mgt_view'
-
A shadow user account is created in the new organization for the organization creator. Get the shadow account's user id using the following command.
curl --location 'https://localhost:9443/o/scim2/Users?filter=userName eq <username of the user created in step 1>' \ --header 'Authorization: Bearer <access-token-obtained-for-the-organization>' \ --header 'Content-Type: application/json'
-
Use the following command to obtain the
id
of the administrator role defined for your B2B application.curl --location 'https://localhost:9443/o/scim2/v2/Roles?filter=displayName eq <admin-role-name> and audience.value eq <role-audience-value>' \ --header 'Accept: application/json' \ --header 'Authorization: Bearer <access-token-obtained-for-the-organization>'
Find admin-role-name and role-audience-value
Refer to the following details related to the B2B application's administrator role:
admin-role-name Name of the administrator role associated with your B2B application. role-audience-value If the B2B application's audience is application
, provide the application id. You may use the following command to obtain the application id.curl --location 'https://localhost:9443/o/api/server/v1/applications?filter=name eq <B2B-application-name>' --header 'Authorization: Bearer <access-token-obtained-for-the-organization>'
If the B2B application's audience is
organization
, provide the organization id. Learn more about role audiences in manage roles. -
Assign the shadow account to the administrator role of your B2B application by using the following command.
curl --location --request PATCH 'https://localhost:9443/o/scim2/v2/Roles/<admin-role-id>' \ --header 'Authorization: Bearer <access-token-obtained-for-the-organization>' \ --header 'Content-Type: application/json' \ --data '{ "Operations": [ { "op": "add", "path": "users", "value": [ { "value": "<user-id obtained from step 4>" } ] } ] }'