简体繁体 English

WSO2-Identity Server和API Manager一起工作

[英]WSO2 - Identity Server and API Manager working together

原文 2013-01-20 22:46:44 2 3 api/ wso2/ wso2is/ wso2-am

I'm evaluating WSO2 Identity Server and WSO2 API Manager. 我正在评估WSO2身份服务器和WSO2 API管理器。

I registered an API and an application on API Manager. 我在API管理器上注册了一个API和一个应用程序。 I can call the resources successfully. 我可以成功调用资源。

I could also add an user into Identity Server and log into that using oAuth authentication. 我还可以将用户添加到Identity Server中，然后使用oAuth身份验证登录。

But, it's not too clear how I can use those two systems together. 但是，还不清楚如何将这两个系统一起使用。 I would like to use API Manager to expose my API's to some applications. 我想使用API Manager将我的API公开给某些应用程序。 And, I would like to use Identity Server to log the final user. 而且，我想使用Identity Server记录最终用户。 Is that possible? 那可能吗？ How can I "plug" those two systems? 如何“插入”这两个系统？

I am not sure if that's the best way to do that, so, please, advice me. 我不确定这是否是最好的方法，所以请给我建议。

Thanks 谢谢

3 个解决方案

According to my understanding of your use case is you need to expose the API's securely. 根据我对用例的理解，您需要安全地公开API。 So you need to used WSO2 Identity Server and WSO2 API Manger. 因此，您需要使用WSO2 Identity Server和WSO2 API Manger。 In addition to that you need the best approach for above use case. 除此之外，您还需要针对上述用例的最佳方法。 With above two product we have below two option. 对于以上两种产品，我们有以下两种选择。

Configuring WSO2 Identity Server as the Key Manager in WSO2 API Manager (This link gives a different version combination of both products) 在WSO2 API管理器中将WSO2 Identity Server配置为密钥管理器（此链接提供了两种产品的不同版本组合）
Here we need to add key manger feature to the WSO2 IS. 在这里，我们需要向WSO2 IS添加密钥管理器功能。
Configuring the Pre-Packaged Identity Server 5.0.0 with API Manager 1.9.0 使用API Manager 1.9.0配置预打包的Identity Server 5.0.0

In here 1st option have manual configurations. 在这里，第一个选项具有手动配置。 But,2nd option minimized the manual configuration. 但是，第二个选项最小化了手动配置。

The purpose of using the Identity Server is not too clear. 使用Identity Server的目的不太清楚。 Is it to separate the authentication/authorization from the API Manager instance? 是否要将身份验证/授权与API Manager实例分开？

By default API Manager is shipped with a Key Management Server component that is responsible for all security and key related operations.This can be configured to authenticate users against a defined user store or multiple user stores. 默认情况下，API Manager随附有密钥管理服务器组件，该组件负责所有安全性和与密钥相关的操作。可以将其配置为根据定义的用户存储或多个用户存储对用户进行身份验证。 Authorization is based on oAuth 2.0. 授权基于oAuth 2.0。 However, in a production deployment, we recommend that this component is deployed as a separate server instance so that it runs as an external Key Management Server. 但是，在生产部署中，我们建议将此组件部署为单独的服务器实例，以使其作为外部密钥管理服务器运行。

This is done by simply using another copy of the API Manager distribution and configuring it as a Key Manager server node. 只需使用API Manager发行版的另一个副本并将其配置为Key Manager服务器节点即可完成。

Hope this helps. 希望这可以帮助。

Regards, Gillian 此致，阿娇

My understanding is, 我的理解是

if you wanted to use WSO2 API manager (AM) as an API gateway, you don't need a separate IS as AM included an IS engine with security mechanism included such as key manager. 如果您想将WSO2 API管理器（AM）用作API网关，则不需要单独的IS，因为AM包含具有安全机制的IS引擎，例如密钥管理器。
If you need single sign on across all AM components, and you do NOT have other identity provider (IdP), you need a aeparate IS 如果您需要跨所有AM组件进行单一登录，并且没有其他身份提供者（IdP），则需要单独的IS
However, if you do have a separate IdP, you don't need to install an IS server to implement SSO for AM, although the documentation from IS may suggest you do so. 但是，如果您确实有一个单独的IdP，尽管IS的文档可能会建议您这样做，但您无需安装IS服务器即可为AM实现SSO。 For example, a successful SSO implementation has been done with PingFederate/PingIdentity. 例如，已经使用PingFederate / PingIdentity成功实现了SSO。 See How to integrate WSO2 API Manager (AM) 1.10.0 with PingFederate SAML 2.0? 请参阅如何将WSO2 API管理器（AM）1.10.0与PingFederate SAML 2.0集成？