Open in app

Sign in

Write

Sign in

Breaking Down Barriers: How to Federate between Asgardeo Organizations

Tharmakulasingham Inthirakumaaran
5 min readMar 27, 2023

This article will provide a step-by-step guide on how to federate the identities of business users from one Asgardeo organization to another. This is a common use case on the Asgardeo platform, where a business may require multiple Asgardeo organizations to manage its customers, employees, partners, suppliers, and other entities. In such cases, the business may need to invite users from different organizations to use its services.

To illustrate this scenario, let’s consider a hypothetical case where a business has two Asgardeo organizations: one to manage its customers (which we’ll call ‘MyCustomerOrg’) and another to manage its employees (which we’ll call ‘MyEmployeeOrg’). However, the business has general applications that both employees and customers can use, which presents a challenge that can be solved using federation.

In this article, we’ll explain how to federate the identities of users from MyCustomerOrg and MyEmployeeOrg so that they can use the same applications seamlessly.

Overall we are going to describe two approaches here.

  1. Trying out standard federation
  2. Trying out federation using an advanced adaptive script to improve user experience

Overview of the solution

Scenario Background

Archi block diagram

Here customer application(App) will be registered in the MyCustomerOrg and it will have a sign-in method (connection) that federates to MyEmployeeOrg. So that business users in that organization can log in to this application(App)

In the MyEmployeeOrg, there will be an application (App2) to facilitate this federation. We can make use of this application to customize sign-in methods for MyEmployeeOrg

Trying out standard federation

This explains, how you can enable access to both customers and employees managed in two Asgardeo organizations via a typical federation scenario from one Agardeo organization to another.

Instructions

  1. Create a Standard-Based ODIC application in the MyEmployeeOrg (App2 as in the above Archi)
  • We can consider this as an internal application to facilitate the federation from MyEmployeeOrg to MyCustomerOrg
  • Use the “Standard-Based Application” template
    - We are going to use the OIDC protocol with the authorization grant type
    - Thus select the OIDC in the first step & Give a proper name for the application eg: MyCustomerOrgFIdp or SecondaryIDP

Do the following modification in the created application

- In the protocol section,
— select code grant type
— for the authorization URL section add the following URL

https://api.asgardeo.io/t/{MyCustomerOrg -name}/commonauth

— update the application

- Now note down the client ID & secret.,

2. Create a connection in MyCustomerOrg

  • This helps us to enable federation as a login option to the customer application
  • Use the “Standard based Identity Providers” template to create the connection. For,

Here
— 1st step → Add a suitable name Eg: asgardeoFidp
— 2nd step → Fill in the following information from the details we collected in the previous step

Client ID → from the previous step
Client secret → from the previous step
Authorization endpoint URL → https://api.asgardeo.io/t/{MyEmployeeOrg -name}/oauth2/authorize
Token endpoint URL →
https://api.asgardeo.io/t/{MyEmployeeOrg-name}/oauth2/token

— 3rd step

JWKS endpoint URL →
https://api.asgardeo.io/t/{MyEmployeeOrg -name}/oauth2/jwks

— Finish registration.

3. Go to the customer application in MyCustomerOrg (App as in the above Archi)

Note: If u don’t have any application u can try out the React sample https://wso2.com/asgardeo/docs/get-started/try-samples/qsg-spa-react/#run-the-sample

  • Go to the Sign-in Methosection of the application
  • Click on the “Start with default configuration” option
  • Add the FIdp as a Sign-in Method (click the add authentication option in step-1)
  • Update the application

4. Run the customer application & Go to the login page

  • You should be able to see the FIdp login option there
  • If you click that option(Sign In With AsgardeoFidp) you will be redirected to the login page of the MyEmployeeOrg

Trying out federation using an advanced adaptive script to improve user experience

In this method will try to improve the user experience by removing the need to select the login method while login into the application. We will make use of the email domain in the username to decide where to redirect (MyCustomerOrg or MyEmployeeOrg) from the adaptive script

Here we will use MFA authentication with the identifier first as the first step to identify the username and decide on the second step(Idp)

Instructions

  1. The first two steps will same as the “Trying out standard federation” approach
  2. In the 3rd step let’s start with going to the protocol section
    - Remove “username& password” & “AsgardeoFidp”(which we created in step 2)
    - Add the following steps

Step -1 → “Identifier First”
Step -2 → “AsgardeoFidp”(which we have created earlier) and“username& password”

3. Add the advance adaptive script

- Enable the “Conditional Authentication” option

- Add the following script

var fidpDomainList = ['employee.com', 'employee2.com'];
var onLoginRequest = function(context) {
    executeStep(1, {
        authenticatorParams: {
            common: {
                'skipIdentifierPreProcess': "true"
            }
        },
    }, {
        onSuccess: function(context) {
            var username = context.steps[1].subject.username;
            var indexOfLastAt = username.lastIndexOf("@");
            var domain = username.substring(indexOfLastAt + 1);
            if (fidpDomainList.indexOf(domain) >= 0) {
                executeStep(2, {
                    authenticationOptions: [{
                        idp: 'asgardeoFidp'
                    }]
                }, {});
            } else {
                executeStep(2, {
                    authenticationOptions: [{
                        authenticator: 'BasicAuthenticator'
                    }]
                }, {});
            }
        }
    });
};Enable the “Conditional Authentication” option
  • Update the application

4. Run the customer application & Go to the login page

Note: Based on the username entered in the identifier-first, the next page will change

In conclusion, federating identities between Asgardeo organizations is a useful solution for businesses that require multiple organizations to manage different entities. By following the steps outlined in this article, businesses can establish a federation between their organizations and enable users to seamlessly access applications across different organizations.

This approach simplifies the user access process and improves collaboration between different entities, ultimately providing a better user experience. Hope this article helps!! Let me know if you have further questions.

Cheers!!!

Resources

[1] https://wso2.com/asgardeo/docs/get-started/try-samples/qsg-spa-react/#run-the-sample

[2]https://wso2.com/asgardeo/docs/guides/authentication/enterprise-login/add-oidc-idp-login/#register-asgardeo-in-the-idp

[3]https://wso2.com/asgardeo/docs/guides/applications/register-standard-based-app/#register-an-application

[4]https://wso2.com/asgardeo/docs/guides/authentication/conditional-auth/

Asgardeo
Federation
Idp
Identity Management

--

--

Tharmakulasingham Inthirakumaaran

Written by Tharmakulasingham Inthirakumaaran

108 Followers

Associate Tech Lead, MSc graduate and occasional writer.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams