WSO2 EMM Agent configurations to enroll and manage devices
Table of Contents |
---|
...
Enable SSO in the following configuration files, under the
ssoConfiguration
section:config.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config
directory.store.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/store/config
directory.publisher.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/config
directory.Code Block "enabled" : true,
Configure the Identity Provider (IdP) in the following configuration files, under the
ssoConfiguration
section:Tip For example, you can use the following steps to configure WSO2 Identity Server (IS) as an Identity Provider (IdP). For more information on configuring IS, see enabling SSO for WSO2 servers.
config.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config
directory.store.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/store/config
directory.publisher.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/config
directory.
Localtabgroup Localtab active true title config.json Code Block "identityProviderURL" : "%https.ip%/sso/samlsso.jag", "responseSigningEnabled" : "true", "keyStorePassword" : "wso2carbon", "identityAlias" : "wso2carbon", "keyStoreName" : "/repository/resources/security/wso2carbon.jks"
Localtab title store.json Code Block "identityProviderURL": "%https.host%/samlsso", "keyStorePassword": "wso2carbon", "identityAlias": "wso2carbon", "responseSigningEnabled": "true", "storeAcs" : "%https.host%/store/acs", "keyStoreName": "/repository/resources/security/wso2carbon.jks"
Localtab title publisher.json Code Block "identityProviderURL": "%https.host%/samlsso", "keyStorePassword": "wso2carbon", "identityAlias": "wso2carbon", "responseSigningEnabled": "true", "publisherAcs": "%https.host%/publisher/sso", "keyStoreName": "/repository/resources/security/wso2carbon.jks"
Expand title Click here for IdP related property definitions. The IdP related property definitions are as follows:
IdentityProviderURL
- Provide the URL that defines where the user should navigate when signing in.keyStorePassword
- Provide the Key Store password.identityAlias
- Provide the Key Store identity alias or username.keyStoreName
- Provide the Identity Providers (e.g., WSO2 IS) public key value.Info The
keyStorePassword
andidentityAlias
are defined under<KeyStore>
in thecarbon.xml
file, which is in the<EMM_HOME>/repository/conf
directory.Expand title Click here for to view the KeyStore attributes. Code Block <KeyStore> <!-- Keystore file location--> <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location> <!-- Keystore type (JKS/PKCS12 etc.)--> <Type>JKS</Type> <!-- Keystore password--> <Password>wso2carbon</Password> <!-- Private Key alias--> <KeyAlias>wso2carbon</KeyAlias> <!-- Private Key password--> <KeyPassword>wso2carbon</KeyPassword> </KeyStore>
storeAcs
- Provide the Assertion Consumer URL, which is the redirecting URL, for the Store.publisherAcs
- Provide the Assertion Consumer URL, which is the redirecting URL, for the Publisher.
Note By default, an Identity Provider (IdP) has been bundled with the EMM binary pack. If you wish to use this default IdP in EMM, modify the
host/ip
to the Server IP. If you wish to use your own IdP, modify thehost/ip
to your own IdP's host in the following files:Localtabgroup Localtab active true title config.json Update the
config.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config
directory.Code Block "identityProviderURL" : "%https.ip%/sso/samlsso.jag",
Localtab title store.json Update the
store.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/store/config
directory.Code Block "identityProviderURL": "%https.host%/samlsso",
Localtab title publisher.json Update the
publisher.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/config
directory.Code Block "identityProviderURL": "%https.host%/samlsso",
Update the SSO related IDP configurations in the
sso-idp-config.xml
file, which is in the<EMM_HOME>/repository/conf/identity
directory, by updating all the entries that statelocalhost
to your IDP's IP address or domain.Code Block <ServiceProvider> <Issuer>mdm</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/emm/sso/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/emm/sso/acs</DefaultAssertionConsumerServiceURL> <SignAssertion>true</SignAssertion> <SignResponse>true</SignResponse> <EnableAttributeProfile>false</EnableAttributeProfile> <IncludeAttributeByDefault>false</IncludeAttributeByDefault> <Claims> <Claim>http://wso2.org/claims/role</Claim> <Claim>http://wso2.org/claims/emailaddress</Claim> </Claims> <EnableSingleLogout>false</EnableSingleLogout> <SingleLogoutUrl /> <EnableAudienceRestriction>true</EnableAudienceRestriction> <EnableRecipients>true</EnableRecipients> <AudiencesList> <Audience>https://localhost:9443/oauth2/token</Audience> </AudiencesList> <RecipientList> <Recipient>https://localhost:9443/oauth2/token</Recipient> </RecipientList> <ConsumingServiceIndex /> </ServiceProvider> <ServiceProvider> <Issuer>store</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/store/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/store/acs</DefaultAssertionConsumerServiceURL> <SignResponse>true</SignResponse> <CustomLoginPage>/store/login.jag</CustomLoginPage> </ServiceProvider> <ServiceProvider> <Issuer>social</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/social/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/social/acs</DefaultAssertionConsumerServiceURL> <SignResponse>true</SignResponse> <CustomLoginPage>/social/login</CustomLoginPage> </ServiceProvider> <ServiceProvider> <Issuer>publisher</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/publisher/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/publisher/acs</DefaultAssertionConsumerServiceURL> <SignResponse>true</SignResponse> <CustomLoginPage>/publisher/controllers/login.jag</CustomLoginPage> </ServiceProvider>
If you are running WSO2 EMM on a cluster setup or a virtual machine, you must configure the following fields under
<SSOConfiguration>
in theapp-manager.xml
file that is in the<EMM_HOME>/repository/conf
directory.IdentityProviderUrl
providerURL
Info - By default,
<EMM_HOST>
islocalhost.
However, if you are using a public IP, the respective IP address or domain needs to be specified. - By default,
<EMM_HTTPS_PORT>
has been set to 9443. However, if the port offset has been incremented byn
, the default port value needs to be incremented byn
.
Code Block <!-- AppManager uses SAML SSO as default authentication mechanism for the web apps. Following configuration defines the configurations of the IDP which is used as the SSO provider. --> <SSOConfiguration> <!-- URL of the IDP use for SSO --> <IdentityProviderUrl>https://<EMM_HOST>:<EMM_HTTPS_PORT>/samlsso</IdentityProviderUrl> <Configurators> <Configurator> <name>wso2is</name> <version>5.0.0</version> <providerClass>org.wso2.carbon.appmgt.impl.idp.sso.configurator.IS500SAMLSSOConfigurator</providerClass> <parameters> <providerURL>https://<EMM_HOST>:<EMM_HTTPS_PORT></providerURL> <username>admin</username> <password>admin</password> </parameters> </Configurator> </Configurators> </SSOConfiguration>
Enable authentication session persistence by uncommenting the following configuration in the
<EMM_HOME>/repository/conf/identity.xml
file, under theServer
andJDBCPersistenceManager
elements.Code Block <SessionDataPersist> <Enable>true</Enable> <RememberMePeriod>20160</RememberMePeriod> <CleanUp> <Enable>true</Enable> <Period>1440</Period> <TimeOut>20160</TimeOut> </CleanUp> <Temporary>false</Temporary> </SessionDataPersist>
Expand title Click here for more information on the configurations. Configuration element Description Enable
This enables the persistence of session data. Therefore, this must be configured to
true
if you wish to enable session persistence.RememberMePeriod
This is the time period (in minutes) that the remember me option should be valid. After this time period, the users are logged out even if they enable the remember me option. The default value for this configuration element is 2 weeks.
CleanUp
This section of the configuration is related to the cleaning up of session data. The cleanup task runs on a daily basis (once a day) by default unless otherwise configured in the
Period
tag. When this cleanup task is executed, it removes session data that is older than 2 weeks, unless otherwise specified in theTimeOut
tag.Enable
Selecting true here enables the cleanup task and ensures that it starts running. Period
This is the time period (in minutes) that the cleanup task would run. The default value is 1 day.
TimeOut
This is the timeout value (in minutes) of the session data that is removed by the cleanup task. The default value is 2 weeks.
Temporary
Setting this to
true
enables persistence of temporary caches that are created within an authentication request.
...
The WSO2 EMM administrators can monitor devices by accessing the portal dashboard. Before accessing the dashboard you need to configure the dashboard server to communicate with external OAUTH protected APIs that will be accessed by its gadgets.
Configure
<ServerRoles>
that is in the<EMM_HOME>/repository/conf/carbon.xml
file by adding theCDMFPlatform
role.Code Block <ServerRoles> <Role>EMMPlatform</Role> <Role>CDMFPlatform</Role> </ServerRoles>
Configure the
designer.json
file that is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/portal/configs
directory as follows:If you have enabled SSO for WSO2 EMM, you need to define
sso
as the value foractiveMethod
underauthorization
else, you can define theactiveMethod
asbasic
.Info For more information on enabling
sso
, see the WSO2 Dashboard Server documentation on Enabling SSO in WSO2 DS.Example:
Localtabgroup Localtab title Enabling SSO authentication Panel bgColor #ffffff Configure the following fields:
- Under
authentication
, define theactiveMethod
assso
. - Configure
responseSigningEnabled
as true. - Set the Assertion Consumer (ACS) URL as
https://<JAGGERY_APP_HOST>:<JAGGERY_APP_PORT>/portal/acs
. In WSO2 EMM the jaggery portal application is available in the product itself. Therefore, you can configure the<JAGGERY_APP_HOST>
as localhost and<JAGGERY_APP_PORT>
as 9443 if you have not port offset WSO2 EMM.
Example:
Code Block "authentication":{ "activeMethod":"sso", "methods":{ "sso":{ "attributes":{ "issuer":"portal", "identityProviderURL":"https://localhost:9443/samlsso", "responseSigningEnabled":"true", "acs":"https://localhost:9443/portal/acs", "identityAlias":"wso2carbon", "useTenantKey":false } }, "basic":{ "attributes":{ } } } }
Localtab title Enabling basic authentication Panel bgColor #ffffff Under
authentication
, define theactiveMethod
asbasic
.Code Block "authentication":{ "activeMethod":"basic", "methods":{ "sso":{ "attributes":{ "issuer":"portal", "identityProviderURL":"https://localhost:9443/samlsso", "responseSigningEnabled":"false", "acs":"https://localhost:9444/portal/acs", "identityAlias":"wso2carbon", "useTenantKey":false } }, "basic":{ "attributes":{ } } } }
- Under
Configure the
authorization
attributes.Code Block "authorization":{ "activeMethod":"oauth", "methods":{ "oauth":{ "attributes":{ "idPServer":"%https.ip%/oauth2/token", "dynamicClientProperties":{ "callbackUrl":"%https.ip%/portal", "clientName":"portal", "owner":"admin", "applicationType":"JaggeryApp", "grantType":"password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer", "saasApp":false, "dynamicClientRegistrationEndPoint":"%https.ip%/dynamic-client-web/register/", "tokenScope":"Production" } } } } }
Property Description Data
TypeExample activeMethod
Define the method that needs to be made active from the available authorization methods. In this case you need to define the active mode as OAuth. Yes String OAuth
idPServer
Define the Identity Provider URL by replacing %https.ip% with
https://<EMM_HOST>:<EMM_PORT>
.Info The default value for
<EMM_HOST>
is localhost and if you have not port offset WSO2 EMM, the default<EMM_PORT>
is9443
.Yes String localhost:9443/oauth2
/tokencallbackURL
Define the callback URL by replacing %https.ip% with the
https://<EMM_HOST>:<EMM_PORT>
.Info The default value for
<EMM_HOST>
is localhost and if you have not port offset WSO2 EMM, the default<EMM_PORT>
is9443
.Yes String localhost.9443/portal
clientName
Define the OAuth application name. Yes String portal
owner
Define the username of the owner of the application. Inthisusecaseit is the administrator. Yes String admin
applicationType
The default application type is a jaggery application. If you wish to change it, you need to update this field with the respective application type. Yes String JaggeryApp
grantType
In this use case, out of the six OAuth 2.0 grant types WSO2 EMM uses the password
refresh_token
and thesaml2-bearer
grant types. You can add more grant types as space separated values. If you configured WSO2 EMM for SSO authentication, thesaml2-bearer
grant type will be used and if you configured WSO2 EMM for basic authentication, thepassword refresh_token
grant type will be used.Yes String password
saasApp
Define if this application is a Software as a Service (SaaS) application or not, by defining true
orfalse
as the respective values.Yes Boolean false
dynamicClientRegistrationEndPoint
Define the dynamic client registration endpoint by replacing
%https.ip%
with thehttps://<EMM_HOST>:<EMM_PORT>
.Info The default value for
<EMM_HOST>
is localhost and if you have not port offset WSO2 EMM, the default<EMM_PORT>
is9443
.Yes String localhost:9443/dynamic-client
-web/register/tokenScope
Define the scope of the issued access token. It is used to limit the authorization granted to the client by the resource owner. Yes String Production
- Optionally, if you configured the authentication method as
sso
, you need to register the portal application as a service provider. For more information, see the WSO2 Dashboard Server documentation on configuring SSO in DS.
...