有关集成WSO2 API管理器，Identity Server和Shibboleth的建议

Question

What is the current, recommended way to setup a WSO2 API manager to use SSO against a Shibboleth IDP?

Our organization has an existing SSO infrastructure built around Shibboleth's IDP which we would like to integrate into our API Manager installation. Ideal Use Case:

• User navigates to API Manager Store.
• User is redirected to Shibboleth IDP Login page.
• If one doesn't exist, an API Manager Account is created and assigned the Subscriber role.
• User is returned to API Manager and logged in. “Signed-in-as:” renders a reasonable user name (ie not a GUID).

I'm aware that there is an included SAML2 authenticator component to the API Manager but it is limited in features, specifically it does not handle Encrypted Assertions, Using specific attributes for username/display name and automatic user creation.

I understand that we could write a custom authenticator, however we would rather avoid creating another code base that needs to be maintained and doesn't have community support. If a simpler solution cannot be determined then this will likely be what we do.

What I am currently investigating is delegating all user management for the API Manager to a WSO2 Identity Server. It IS would delegate authentication to Shibboleth and auto provision users before returning to the AM. The IS seems like it could address all of the issues mentioned above.

1. Firstly, is this an appropriate strategy? If so, how is it recommended that the AM and IS be configured?
2. Should the IS and AM both point to the same JDBC Database or should the AM point to the IS's LDAP server?
3. Regarding the AM authenticator which is pointed to the IS, should I use SAML or OAuth, or is there a better/simpler one?

Shibboleth IDP v2.4 – SAML2 with Attribute Push preferred.
WSO2 API Manager v1.6.0
WSO2 Identity Server v5.0.0

Answer 1

Here's the results of my research, for anyone interested:

1) This is an appropriate strategy. The new features in the 5.0 release of Identity Server are mainly centered around this scenario. And the 1.7 release of AM also includes features to facility this setup. Finally I've heard from the developers that they intend to push this integration even further in the next few releases.

2) As of AM 1.6 there was a bug which made it almost required to share the same Primary JDBC user store. As of 1.7 it should be more open.
There does not seem to be a preference from the people at WSO2 between LDAP and JDBC (except that the default H2 DB is not designed for production environments), however if you are choosing between installing a DB or Open LDAP for this, a LDAP server seems more suited to the choice.

3) It's best to use SAML for communicating between the two when the goal is to present the user with a UN/PW screen. When the goal is to login with pre-issued tokens then OAuth. The API Manager and IS use both protocols behind the scenes, but the answer to this particular question seems to be SAML. In the future WSO2 plans to expand the "Trusted IDP" feature of their products, which will streamline this process (and use SAML behind the scenes).