Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC

mobile device management solutions entgra-dan nelson ah HeguOe9k unsplash
Photo by Dan Nelson on Unsplash

Entgra MDM is a unified platform for developing, managing, and integrating Unified Endpoints (UEM), Enterprise Internet of Things (IoT), and Enterprise Mobility Management (EMM).

Asgardeo is an IDaaS developed by WSO2. It is a developer-friendly platform for managing user identities and accessing management seamlessly. This blog will explain the configurations that you need to do on Asgardeo and Entgra MDM. 

What is an external IDP?

In a nutshell, an external identity provider is a service that manages and stores user identities. It provides authentication and authorization services to other applications and services. Although Entgra MDM has an in-built identity server that can leverage all identity and access management (IAM) related services, it also provides flexibility to developers as they can connect with external IDPs.

Configuring Asgardeo

mobile device management solutions entgra-header image
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 29

First, create an Asgardeo account and the rest is easy. Use the following link to sign up.

Creating an organization

The concept of organization is something similar to the term tenant of WSO2 Identity Server. Create an organization by clicking on the dropdown menu on the top-left corner of the page.

mobile device management solutions entgra-asgardeo01 1
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 30

This will prompt a simple form where we have to enter the name of the organization we are trying to create. (Note: this will allow only simple alphabetic characters and does not support other numerical, special characters or capital letters.)

mobile device management solutions entgra-asgardeo02
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 31

For the purposes of this blog, I’ve created an organization named “devorganization”. Once the organization is set, create a new  OIDC application.

Creating a new OIDC application

Click “Develop” on the top menu of the Asgardeo console and it will take you to the following page.

mobile device management solutions entgra-asgardeo03
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 32

Then click on the “New Application” button and choose “Standard-based application”.

mobile device management solutions entgra-asgardeo04 1
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 33

Give a name to the application and make sure to choose OIDC as the protocol. Check “Management application” if the application needs to access any management APIs of the organization. Finally, click on “Register” to create the application.

mobile device management solutions entgra-asgardeo05 1
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 34

Inside the application settings, go to protocols and update the grant types as follows:

mobile device management solutions entgra-asgardeo06
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 35

Add https://localhost:9443/commonauth as the Authorized redirect URL. This is the URL to which the Asgardeo will redirect after completing authentication.

mobile device management solutions entgra-asgardeo07
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 36

Creating new custom user-attributes

When using external IDPs, although the users will be stored inside the external IDP, they might have to be provisioned inside Entgra MDM using just-in-time provisioning (JIT). Map attributes such as username, role, etc. with the local attributes. To create a new attribute, click “Manage” on the top menu and then navigate to the attributes section.

mobile device management solutions entgra-asgardeo08
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 37

Click on “Attributes” and then proceed to “New attributes” to add a new attribute. Create a couple of attributes for username and role, namely the “asgardeo-username” and “asgardeo-role”.

mobile device management solutions entgra-asgardeo09
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 38

After creating the attributes, it will redirect you to the configuration page of the attribute. Under this configuration, check the two configurations below and click on the update button to save the configurations.

mobile device management solutions entgra-asgardeo10
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 39

These two configuration will enable the display of these attributes in the user profile and make them mandatory.

Configuring the scopes

Configure the scopes to map the above attributes against “openid” scope, so that these attributes will pass during JIT provisioning. Under the “Manage” section, click on “Scopes”.

mobile device management solutions entgra-asgardeo11
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 40

Click the edit icon of the “Open ID” scope and then click the “New Attribute” button inside it to add an attribute to this scope.

mobile device management solutions entgra-asgardeo12
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 41

Check the “Asgardeo Username” and “Asgardeo Role” attributes and click on the “Save” button

mobile device management solutions entgra-asgardeo13
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 42

Go to the created application and edit the user attributes as follows and click “Update” to save these changes:

mobile device management solutions entgra-asgardeo14
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 43

Creating a new user account

You must then create a new user account to test the Asgardeo authentication flow. Under the “Manager” section, click on the “Users” section to view the user management page. Click on the “Add User” button to create a new user.

mobile device management solutions entgra-asgardeo15
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 44

Create a new user by filling out the following fields along with a temporary password.

mobile device management solutions entgra-asgardeo16
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 45

After creating the user account, go to the user’s profile and update the attributes that were created earlier and click on the “Update” button to save the changes.

mobile device management solutions entgra-3nFMr7K0JOBOMZCWC N B75engI 2GRih6GgRrV468t3xqodjgsJl5DkhUDe51y4G lOqaoVM Zukw GA5Fn73DKcYv5l6BR8KXDVfciYEThQ4Mm3ItjUqUixaojjsqg2Rr

Changing the subject claim of Asgardeo to username

By default, the User ID is set as the subject claim in Asgardeo. Entgra MDM will be looking for a username under the subject claim of the ID token. Therefore, we might have to update the subject claim of Asgardeo using their management APIs. Invoke the following APIs using the CURLs provided in the given order to change the subject claim.

Generate an access token using the client credentials of the application.

curl --location --request POST 'https://api.asgardeo.io/t/<organization_name>/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=<client_id>' \
--data-urlencode 'client_secret=<client_secret>' \
--data-urlencode 'scope=internal_application_mgt_view internal_application_mgt_update'

Search for all the applications under the organization and find the application-ID of the application you have created.

curl --location --request GET 'https://api.asgardeo.io/t/<organization_name>/api/server/v1/applications' \
--header 'Authorization: Bearer <access_token>'

Retrieve the application details using the above application-ID.

curl --location --request GET 'https://api.asgardeo.io/t/<organization_name>/api/server/v1/applications/<application_id>' \
--header 'Authorization: Bearer <access_token>'

Patch the application by changing the sub-claim to asgardeo_username. Change the values of the claim mappings and requested claims, based on the response received in step 3.

curl --location --request PATCH https://api.asgardeo.io/t/<organization_name>/api/server/v1/applications/<application_id>' \
--header 'Authorization: Bearer <access_token>' \
--header 'Content-Type: application/json' \
--data-raw '{
   "claimConfiguration": {
       "dialect": "LOCAL",
       "claimMappings": [
           {
               "applicationClaim": "http://wso2.org/claims/asgardeo_username",
               "localClaim": {
                   "uri": "http://wso2.org/claims/asgardeo_username"
               }
           },
           {
               "applicationClaim": "http://wso2.org/claims/asgardeo_role",
               "localClaim": {
                   "uri": "http://wso2.org/claims/asgardeo_role"
               }
           }
       ],
       "requestedClaims": [
           {
               "claim": {
                   "uri": "http://wso2.org/claims/asgardeo_username"
               },
               "mandatory": true
           },
           {
               "claim": {
                   "uri": "http://wso2.org/claims/asgardeo_username"
               },
               "mandatory": true
           }
       ],
       "subject": {
           "claim": {
               "uri": "http://wso2.org/claims/asgardeo_username"
           },
           "includeUserDomain": false,
           "includeTenantDomain": false,
           "useMappedLocalSubject": false
       }
   }
}'

Configuring Entgra MDM

So far we have completed the Asgardeo configuration successfully. Now let’s move on to configuration of Entgra MDM.

Creating a new user role

To explore various features of Entgra’s web applications, a user might need certain permissions. You have to create a new role for that and assign a few permissions. Inside the carbon console, click on “Add” under the “Users and Roles” section and then click on “Add New Role”. Let’s create a role called “test-role” and then click “Next” to add permissions.

mobile device management solutions entgra-asgardeo17
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 46

You can now see a permission tree with a list of permissions. Click on the “device-mgt” permission and it will choose the child permissions automatically.

mobile device management solutions entgra-asgardeo18
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 47

Adding a new Identity Provider

Log into the carbon console of Entgra MDM via https://localhost:9443/carbon and click on “Add” under the Identity Provider sections on the left vertical menu. You will see the following page and can configure the basic configuration as shown below:

mobile device management solutions entgra-asgardeo19
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 48

Configure the “Claim Configuration” as shown below. Here we are mapping the Asgardeo Role attribute with our internal role claim.

mobile device management solutions entgra-asgardeo20
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 49

Configure the “Role Configuration” as shown below. We are trying to map the “Asgardeo Role” attribute value against an internal role named “Internal/devicemgt-user” that is already configured inside the product.

mobile device management solutions entgra-asgardeo21
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 50

Configure the” Federated Authenticators” as shown below. Replace the client-id and client-secret with your Asgardeo application’s credentials.

mobile device management solutions entgra-asgardeo22
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 51

The endpoints are as follows:

Authorization Endpoint URL: https://api.asgardeo.io/t/devorganization/oauth2/authorize
Token Endpoint URL: https://api.asgardeo.io/t/devorganization/oauth2/token
Callback URL: https://localhost:9443/commonauth
Userinfo Endpoint URL: https://api.asgardeo.io/t/devorganization/oauth2/userinfo
Logout Endpoint URL: https://api.asgardeo.io/t/devorganization/oidc/logout
Additional Query Parameters: scope=openid

Configure the Just-in-Time provisioning to “Silent provisioning”.

mobile device management solutions entgra-asgardeo24
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 52

Configuring Service Provider

Entgra MDM comes with multiple web applications. Each of these web applications will have a service provider created inside the carbon console. To view the service providers, navigate to the Service Providers page. For this tutorial purpose, let’s try to configure Entgra’s Endpoint Management application with Asgardeo. Edit the Endpoint Management application’s service provider from the Service Providers page. If you cant see the service provider, try to log in to the endpoint management application at least once through the following URL:  https://localhost:9443/endpoint-mgt.

Under the service provider, change the Authentication type to “Federated Authentication” and chose “Asgardeo” as the identity provider.

mobile device management solutions entgra-asgardeo23 1
Configuring Asgardeo as an External IDP With Entgra MDM Using OIDC 53

Voila! Now, we have successfully configured an Entgra MDM application, to SSO with Asgardeo IDaaS. Now you can log in to the https://localhost:9443/endpoint-mgt application using Asgardeo.

I hope that you found this blog useful. If you have any questions, do reach out to us here.

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Scroll to Top