Hi Ajanthan, Yes, that is correct. This config doesn't support directly pointing to 3rd party IDPs. In case of a 3rd party IDP, that needs to be configured as an IDP from the management console of APIM or IS/KM and use that as a federated IDP. Still, the above config points to the APIM or IS/KM. Thank you for the suggestion. We'll note that and reflect it in the documentation.
Thanks! On Wed, Jan 8, 2020 at 4:07 AM Ajanthan Balachandran <[email protected]> wrote: > Hi Malintha, > > Based on my understanding these configs are applicable only if WSO2 IS/KM > is configured as external IDP(If the external IDP is a 3rd party IDP, > sending authorization request with locally registered client details won't > work). It was not apparent by looking at the configuration naming. In that > case, we need to document it or else for better the config name should > reflect that fact, otherwise, it will confuse users. > > Thanks, > Ajanthan. > > On Mon, Jan 6, 2020 at 10:50 PM Malintha Amarasinghe <[email protected]> > wrote: > >> Hi, >> >> Currently, we do not support $subject and we always use the local IDP as >> the login/logout URLs (/authorize and /oidc/logout). In normal cases, this >> works without issues. But when it comes to configuring federated login with >> facebook, google etc, it is required to use IS (IS as KM) as the >> intermediate IDP which has the required authenticators to support >> facebook/google logins. In those cases, we need to point the local IDP to >> the IS/KM and the IS/KM points to Facebook as a federated login. But this >> flow has unnecessary one additional hop caused by the local IDP. >> >> As a solution, we plan to support externalizing the IDP URL (used for >> /authorize and /oidc/logout). >> >> [image: image.png] >> >> The plan is to introduce new configs as below: >> >> *api-manager.xml* >> >> {% if apim.idp is defined %} >> <IdentityProvider> >> <!-- Server URL of the Identity Provider used for login/logout >> operations in API Publisher and API Developer Portal --> >> >> <AuthorizeEndpoint>{{apim.idp.authorize_endpoint}}</AuthorizeEndpoint> >> <OIDCLogoutEndpoint>{{apim.idp.oidc_logout_endpoint}}</OIDCLogoutEndpoint> >> >> </IdentityProvider> >> {% endif %} >> >> *deployment.toml* >> >> #[api.idp] >> #authorize_endpoint = "https://localhost:9444/oauth2/authorize"; >> #oidc_logout_endpoint = "https://localhost:9444/oidc/logout"; >> >> By default, the server will use the local IDP for login/logout. Only, if >> the above URLs are configured, they will be used instead of the default >> ones. >> >> Thoughts are highly appreciated. >> >> Thanks! >> Malintha >> >> -- >> Malintha Amarasinghe >> *WSO2, Inc. - lean | enterprise | middleware* >> http://wso2.com/ >> >> Mobile : +94 712383306 >> > > > -- > > Ajanthan > Senior Lead Solutions Engineer; > WSO2, Inc.; http://wso2.com/ > > email: ajanthan <http://goog_595075977>@wso2.com; cell: +1 425 919 8630 > blog: http://bkayts.blogspot.com/ > > Lean . Enterprise . Middleware > -- Malintha Amarasinghe *WSO2, Inc. - lean | enterprise | middleware* http://wso2.com/ Mobile : +94 712383306
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
