Wso2 Oauth2.0 SSO and LDAP

In our implementation of indico we need to use SSO authentication. Therefore, I would like to use wos2 Oauth2 provider as main authentication method and also need to use the LDAP protocol for Identity providers for Groups and users information.
Can you please help me how to configure it?
Thank you in advance.

That sounds a lot like you need to write your own flask-multipass auth/identity provider based on (read this as: by subclassing) the existing ones from flask-multipass.

The one we use at CERN atm is probably a good starting point since it does something very similar: You login with OAuth, but the only data retrieved using the OAuth token is the username. We then query LDAP using that username to get all the other data.

Since AFAIK none of us is familiar with “wos2”, we of course cannot provide much more help beyond basic guidance on how things work in general.

1 Like

Thanks for your prompt reply. I already configured the Oauth provider and it return a token that has user information after login. my question about the how I can use group search functionality provided by LDAP with Oauth authentication .


You need to configure the 'type': 'ldap' identity provider for this.

But it expects to get a string from the auth provider that uniquely identifies the user (usually the cn/uid) - and the oauth auth provider only passes you the token, which is why you need to implement a custom version of the oauth provider which doesn’t pass the token in the AuthInfo object but the actual cn/uid used later in the ldap lookup.

I don’t remember if it’s possible, but if all the authentication works fine, try adding ldap only as an identity provider without linking it to an auth provider. This may work to get user search and groups.

1 Like

This will satisfy my requirement. The authentication works fine and Oauth return username as uniquely identifies. Could you please share with me any configuration example that use identity provider without linking it to an auth provider.


Just add it in the IDENTITY_PROVIDERS dict in indico.conf

1 Like

Thanks for your help.It does solve my problem !