You can follow the below steps to set up SSO with Asgardeo in APIM.
Asgardeo Console Configurations
- Create OIDC Application in Asgardeo console. Allow Authorization Code(Code) grant and add “https://localhost:9443/commonauth” as Authorized Redirect URL if you are testing with local setup and if APIM is running on port 9443.
- Create custom attributes called “asgardeo_role”,”asgardeo_users” and add them to the OpenID Scope.
- Update the below values from the “asgardeo_role”,”asgardeo_users” attributes configuration pages.
- Select Display this attribute on the user's profile to add this attribute to the user profile
- Select Make this attribute required on the user's profile to make this attribute compulsory to fill.
- Go to the User Attributes section in the application configurations page and add the “asgardeo_role”, “asgardeo_user” attributes and make them mandatory.
- Currently, the subject claim of the ID token will be the User ID(UUID) and APIM will take this as the user name. If you want to change the subject claim you can do it using Application Management API. Currently, there is no option to update the subject claim from the Asgardeo console.
- Import this postman collection and update the organization name in the collection variables.
- To invoke Application Management API, need to get an access token via client_credentials grant. Update the Asgardeo Application’s client_id, client_secret values in the token request.
- Get the application id from the GET ALL Applications request and update the subject claim using the PATCH request in the collection. (Make sure to add the additional claims to the request body if you have any). Here update the subject claim to “asgardeo_user”.
Note: If you don’t change the subject claim, need to change the policy from the deployment.toml file to match the UUID.
- Go to Users account(account needs to be a customer account ) and specify the “asgardeo_role” attribute value as “APIM”. Also, specify a unique value to the “asgardeo_user” attribute. Here you can have any value as you want and you need to use this exact same value when configuring Asgardeo as IdP in APIM.
- To configure Asgardeo as an IdP, go to the identity providers section using Management Console and add a new Identity Provider.
- Configure Below fields
* Identity Provider's JWKS Endpoint: https://api.asgardeo.io/t/<org_name>/oauth2/jwks
* Alias: Audience value of the ID token received from the Asgardeo
* Identity Provider's Issuer Name : https://api.asgardeo.io/t/<org_name>/oauth2/token
- Go to the Federated Authenticators section and add OAuth2/OpenID Connect configurations. You can find the endpoint details from the Info section on your Asgardeo application page.
Authorization Endpoint URL:*
Token Endpoint URL:*
Userinfo Endpoint URL
Logout Endpoint URL
OpenID Connect User ID Location:
User ID found among claims
Additional Query Parameters:
- Enable JIT Provisioning and select Provision Silently
- Go to Role configuration and configure it as follows. Here I have used the same value that I have specified in the Asgardeo user claim. Here “asgardeo_role” is the Role that we need to create in the APIM Management console.
- Go to Claim Configurations and configure it as follows.
- Create a new role “asgardeo_role“ in the Management Console and add the below permissions.
- Governance - full permissions
- Govern - full permissions
- API - full permissions
- Go to Admin console and assign relevant scopes to the “asgardeo_role” Role. If you are trying to SSO to the Dev portal you need to select the below scopes. Likewise, you need to select the scopes that are required for other service providers(publisher portal, etc) as well. Otherwise, you can’t see the UI elements of that particular application.
- Go to service providers and select Asgardeo IdP as federated IdP from Outbound configurations for the “apim_devportal” service provider.
- Log in to the Dev portal application using Asgardeo. Here you need to have a Customer account to log in.
- To try out SSO flow, you can specify Asgardeo as Federated IdP for the Publisher portal. Here you need to add the publisher scopes to the “asgardeo_role” Role from the Admin Portal.