Versions Compared

Old Version 21

changes.mady.by.user Former user

Saved on

compared with

New Version 22

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note
titleAdditional configurations
  • Expand
    titleClick here to expand for more information on signature algorithms.

    The following table provides the list of signature algorithms available and their respective URI.

    Signature algorithm nameSignature algorithm URI
    DSA with SHA1 http://www.w3.org/2000/09/xmldsig#dsasha1
    ECDSA with SHA1 http://www.w3.org/2001/04/xmldsigmore#ecdsasha1
    ECDSA with SHA256 http://www.w3.org/2001/04/xmldsigmore#ecdsasha256
    ECDSA with SHA384 http://www.w3.org/2001/04/xmldsigmore#ecdsasha384
    ECDSA with SHA512 http://www.w3.org/2001/04/xmldsigmore#ecdsasha512
    RSA with MD5 http://www.w3.org/2001/04/xmldsigmore#rsamd5
    RSA with RIPEMD160 http://www.w3.org/2001/04/xmldsigmore#rsaripemd160
    RSA with SHA1 http://www.w3.org/2000/09/xmldsig#rsasha1
    RSA with SHA256http://www.w3.org/2001/04/xmldsigmore#rsasha256
    RSA with SHA384 http://www.w3.org/2001/04/xmldsigmore#rsasha384
    RSA with SHA512 http://www.w3.org/2001/04/xmldsigmore#rsasha512
  • Expand
    titleClick here to expand for more information on digest algorithms.

    The following table provides the list of digest algorithms available and their respective URI.

    Digest algorithm nameDigest algorithm URI
    MD5 http://www.w3.org/2001/04/xmldsigmore#md5
    RIPEMD160http://www.w3.org/2001/04/xmlenc#ripemd160
    SHA1http://www.w3.org/2000/09/xmldsig#sha1
    SHA256http://www.w3.org/2001/04/xmlenc#sha256
    SHA384 http://www.w3.org/2001/04/xmldsigmore#sha384
    SHA512http://www.w3.org/2001/04/xmlenc#sha512


  • If you need to sign the SAML response using an authenticated user's tenant keystore, please add the following configuration. (By default, the response is signed using the certificate that belongs to the tenant where the service provider is registered). This property must be added if the SAML authenticator version in the WSO2 Carbon products that you are using is 4.2.2 or higher (org.wso2.carbon.identity.authenticator.saml2.sso_4.2.2.jar).

    Add the <UseAuthenticatedUserDomainCrypto> property available in the     <IS_HOME>/repository/conf/identity/identity.xml file as shown below.

    Code Block
    languagexml
    <SSOService>
...
	<UseAuthenticatedUserDomainCrypto>true<UseAuthenticatedUserDomainCrypto>
</SSOService>

Anchor
OAuth
OAuth

Excerpt

Configuring OAuth/OpenID Connect

OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections.

OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, discovery of OpenID Providers, and session management, when it makes sense for them.

To enable OAuth support for your client application, you must first register your application by providing an application name and a callback URL. Follow the instructions below to add a new application.

  1. Expand

...

  1. the OAuth/OpenID Connect Configuration

...

  1.  and click Configure.
  2. Fill in the form that appears. For

...

  1. the Allowed Grant Types

...

  1.  you can disable the ones you do not require or wish to block.
    Image Modified

...

  1. Click Add. The following information is added for your service provider.
    Image Modified
    • OAuth Client Key - This is the client key of the service provider, which will be checked for authentication by the Identity Server before providing the access token.
    • OAuth Client Secret - This is the client secret of the service provider, which will be checked for authentication by the Identity Server before providing the access token. Click

...

    • the Show

...

    •  button to view the exact value of this.

When filling out

...

the New Application

...

 form, the following should be taken into consideration.

...

  • Selecting OAuth Version

...

  •  as 1.0a

...

  •  removes all the

...

  • configurable Allowed Grant Types. This is because this version of OAuth does not support grant types.

...

  • The Callback Url

...

  •  is the exact location in the service provider's application where an access token would be sent. This is a required field and important to configure as it is imperative that the service provider receives the access token. This is necessary for security purposes to ensure that the token is not compromised.
  • The following are the grant types that are used to get the access token.
    • Code - Entering the user name and password required at the service provider will result in a code being generated. This code can be used to obtain the access token.
    • Implicit - This is similar to the code grant type, but instead of generating a code, this directly provides the access token.
    • Password - This authenticates the user using the password provided and the access token is provided.
    • Client Credential - This is the grant type for the client key and client secret. If these two items are provided correctly by the service provider, the access token is sent.
    • Refresh Token - This will enable the user to obtain an access token by using the refresh token once the originally provided access token is used up.
    • SAML - This uses SAML as the grant type to obtain the access token.
    • IWA-NTLM - This is similar to the password grant type, but it is specific to Microsoft Windows users.

Configuring WS-Trust Security Token Service

...