Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Grammar corrections

...

Table of Contents
maxLevel3
minLevel3

Step 1 -

...

Configure the Carbon Console for SSO

Info

This step is done in order to have SSO between the API Manager's and Identitiy Server's management consoles.

...

  • Set disabled attributes in the <Authenticator> element to false.

  • ServiceProviderID: The issuer name of the service provider. 

  • IdentityProviderSSOServiceURL: The URL of the IDP. In this example, it is the URL of the Identity Server.

    Info

    A Service Provider (SP) is an entity that provides web services. A service provider relies on a trusted Identity Provider (IdP) for authentication and authorization. In this case, the Identity Server acts as the IdP and does the task of authenticating and authorizing the user of the service provider. 

    For instructions on how you can configure WSO2 API Manager with IdPs, see the Related Links section at the bottom of this page Step 4.

Code Block
<Authenticator name="SAML2SSOAuthenticator" disabled="false">
        <Priority>10</Priority>
        <Config>
            <Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter>
            <Parameter name="ServiceProviderID">carbonserver</Parameter>
            <Parameter name="IdentityProviderSSOServiceURL">https://localhost:9444/samlsso</Parameter>
           	<Parameter name="NameIDPolicyFormat">urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</Parameter>
		</Config>

Make sure the <priority> element of the SAML2SSOAuthenticator is less than that of the BasicAuthenticator handler. See here for For more information see the FAQ.

Info
titleNameIDPolicyFormat

Service provider and Identity Provider usually communicate with each other about a subject. That subject should be identified through NAME-ID. It should be in some format so that it is easy for the other party to identify it based on the format. Possible The possible values for the NameIDPolicyFormat are as below.follows:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified [default]
  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient

We are using In this scenario use urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, which is the default NameIDPolicyFormat and it . However, the value of the NameIDPolicyFormat is totally depend based on the entities implementing on your own wishthat you wish to implement. For more information on NameIdentifiers, refer to section 8.3 of in SAML Core.

Info

If there are many WSO2 products in your environment, you can configure SSO for the management consoles to gain one-time acces access to all of them the consoles without repeated authentication. You can do this by changing the SAML2SSOAuthenticator configuration in the <PRODUCT_HOME>/repository/conf/security/authenticators.xml file as shown above.

Step 2 -

...

Configure Publisher/Store for SSO

To configure SSO for the API Publisher, open the <API-M_HOME>/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json file and give the configurations as shown below.

...

Tip

idpInitSSOURL consists of <SAML2.IdPURL> and <SAML2.SPEntityId>.

PropertiesDescription
SAML2.IdPURL= https://localhost:9443/samlsso The URL of the SAML 2.0 Identity Provider
SAML2.SPEntityId=API_PUBLISHERA unique identifier for this SAML 2.0 Service Provider application

The SAML2.SPEntityId should be the value of issuer you specify under ssoConfiguration in the <API-M_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json, which uniquely identifies your SAML identity provider. Therefore, it differes between the Store and Publisher according to the issuer that you configure.

Step 3 -

...

Configure the API Store for SSO in passive mode

If the passive mode is disabled and Single Sign-On (SSO) is enabled, it redirects the user to the SSO login page. Therefore, as the WSO2 API Store allows anonymous access, passive mode is enabled by default, so that irrespective of whether SSO is enabled or not it directs the user to the API Store URL, and enables the SSO work flow only when the Sign In button is clicked.

...

Note

By enabling passive mode in SSO Configuration, WSO2 API Manager enables Passive Authentication on Single Sign On.

Info

From the two fundamental authetication models which are active and passive, active authentication is based on WS-Trust protocol on which a relying party is resposible of issuing the security token associated with the user credentials. But in passive authentication which is based on SAML 2.0 and WS-Federation protocols, the relying party does not control the login logic and relies on the IdP to issue the credentials.

Step 4 -

...

Configure an Identity

...

Provider

Localtabgroup
Localtab
activetrue
titleConfiguring WSO2 IS

You can configure WSO2 Identity Server as the IdP. For instructions on how to configure, see Configuring Identity Server as IdP for SSO.

Localtab
titleConfiguring an external IdP

You can also opt to configure an external identity provider. For instructions on how to configure,  see Configuring External IdP through Identity Server for SSO.