WSO2 Identity Server (WSO2 IS) provides identity management across many platforms such as enterprise applications, services, and APIs. In other words, it provides a comprehensive solution that allows you to manage the identity and access management (IAM) activities of an enterprise. The Quick Start Guide takes you on a quick tour of WSO2 IS to help you understand what you can achieve using this product.
...
Enter 1 as scenario number.
Enter the paths to your WSO2 IS pack and the Tomcat pack.
Running scenario 1:- creates two users - Cameron and Alex
- creates the role 'manager' and assigns that role to Cameron
- creates service providers for two web apps
- configures SAML2 web SSO for Dispatch and Swift
Info This QSG uses the command line utility to do the above. To know how each can be done through the Management Console, click the below links:
Once the above step is done, it displays the following screen:
Now you can open the web applications by entering the following URL in a web browser.
Dispatch: http://localhost:8080/saml2-web-app-dispatch.com/
Swift: http://localhost:8080/saml2-web-app-swift.com/
The following Login screen is displayed:- Click Log in and use the following credentials:
Manager
Username: cameron
Password: cameron123Employee
Username: alex
Password: alex123 Give your consent by selecting the attribute you want to give access to as part of sharing your profile information and click Approve.
Note Obtaining the user consent is one of the fundamental requirements of GDPR regulation. WSO2 IS facilitates this through its Consent Management features. To know more about GDPR and how WSO2 IS handles consent, click here.
The following page is displayed for the Dispatch application and can be accessed at http://localhost:8080/saml2-web-app-dispatch.com/.
Now open a new tab in your browser and access http://localhost:8080/saml2-web-app-swift.com/. You see the following page for the Swift application.
The Swift application opens without having to enter the user credentials again.
...
Enter 2 as the scenario number.
Enter the paths to your WSO2 IS pack and the Apache Tomcat pack.
Running scenario 2, creates two users (Cameron and Alex), a role as 'manager' and assigns the role to Cameron. It also creates service providers for each application and configures SSO for them.
Once this scenario is run, the following screen is displayed:Once you open the web applications by entering the following URL in a web browser (Dispatch: http://localhost:8080/Dispatch/ or Swift: http://localhost:8080/Swift/), the following login screen appears:
- Click Log in and sign in to the web application you accessed using any of the following credentials:
Manager
Username: cameron
Password: cameron123Employee
Username: alex
Password: alex123 - In the OPENID USER CLAIMS page, select the approval type and give the consent by selecting the attribute you wish to share with the service provider and click Continue.
The following page appears if you accessed http://localhost:8080/Dispatch/. The Swift application opens if you attempted to access that instead. - Now open a new tab in your browser and access the other web application. For example, http://localhost:8080/Swift/. The following screen appears.
...
- Enter 3 to configure the Multi-factor Authentication scenario.
- Enter the paths where WSO2 IS and Apache Tomcat are installed.
Enter 'y' to confirm that you have already registered an app in Twitter (see Prerequisites).
Expand Enter the API key and the API secret of your registered Twitter application.
The following screen is displayed:
Open up a web browser and paste the application URL for Dispatch (http://localhost:8080/saml2-web-app-dispatch.com) or Swift (http://localhost:8080/saml2-web-app-swift.com). Click Log in.
Sign in to the application using the following user credentials.
Manager
Username: cameron
Password: cameron123You are redirected to the Twitter login page (as Twitter is the second authentification factor).
Enter your Twitter username and password.
- Give consent and click Approve.
- After a successful authentication, you are redirected back to the web application.
Federated authentication
Problem scenario
Pickup works with a team of external consultants and you want to give them access to the web apps. However, it is a hassle to keep adding and maintaining their accounts in the employee database as these consultants are temporary and they keep rotating. Therefore, you decide to use Identity Server's identity federation capability where the external consultants can use their already existing Twitter account credentials to log in to the apps.
Configuring federated authentication
You can use the following steps to configure federated authentication using WSO2 IS:
Enter number 4 to configure Twitter a Federated Authenticator.
Enter the paths where WSO2 IS and Tomcat are installed.
- Enter 'y' to confirm that you have already registered an app in Twitter (see Prerequisites).
title Click here for instructions on registering a Twitter app. To try out multi-factor authentication, you must first register a Twitter application if you have not done so already.
- Go to https://twitter.com/ and create an account.
Register a new application on Twitter at https://apps.twitter.com. For more information, see Create Twitter Application.
You can use the following URL as the Callback URL for your twitter app: https://localhost:9443/commonauth.- Note down the API key and secret for later use.
Enter the API key and the API secret of your registered Twitter application.
The following screen is displayed:
Open up a web browser and paste the application URL for Dispatch (http://localhost:8080/saml2-web-app-dispatch.com) or Swift (http://localhost:8080/saml2-web-app-swift.com). Click Log in.
Sign in to the application using the following user credentials.
Manager
Username: cameron
Password: cameron123You are redirected to the Twitter login page (as Twitter is the second authentification factor).
Enter your Twitter username and password.
- Give consent and click Approve.
- After a successful authentication, you are redirected back to the web application.
Federated authentication
Problem scenario
Pickup works with a team of external consultants and you want to give them access to the web apps. However, it is a hassle to keep adding and maintaining their accounts in the employee database as these consultants are temporary and they keep rotating. Therefore, you decide to use Identity Server's identity federation capability where the external consultants can use their already existing Twitter account credentials to log in to the apps.
Configuring federated authentication
You can use the following steps to configure federated authentication using WSO2 IS:
Enter number 4 to configure Twitter a Federated Authenticator.
Enter the paths where WSO2 IS and Tomcat are installed.
Enter 'y' to confirm that you have already registered an app in Twitter.
Expand title Click here for instructions on registering a Twitter app. To try out this federation scenario, you must first register a Twitter application if you have not done so already.
- Go to https://twitter.com/ and create an account.
Register a new application on Twitter at https://apps.twitter.com. For more information, see Create Twitter Application.
You can use the following URL as the Callback URL for your twitter app: https://localhost:9443/commonauth.- Note down the API key and secret for later use.
- Enter the API key and the API secret of your registered Twitter application.
The following screen is displayed: Open up a web browser and paste the application URL for Dispatch (http://localhost:8080/saml2-web-app-dispatch.com) or Swift (http://localhost:8080/saml2-web-app-swift.com).
Log in to the application using the following user credentials.
Manager
Username: cameron
Password: cameron123Give consent and click Approve.
After a successful authentication, you are redirected back to the web application.
...
- Enter number 6 to select the Creating a workflow scenario.
- Enter the paths to your WSO2 IS pack and the Tomcat pack.
- Open the Dispatch web application and try to log in.
- In the Sign In page, click the Register Now link.
Fill the user details and create a user account. (If you want a user to sign up by themselves for a specific tenant, you need to provide the username in the following format:
<USERNAME>@<TENAND_DOMAIN>
. (Even though the new user is created successfully, it is still disabled. To enable the user, you need to log in to the WSO2 dashboard and approve the pending workflow requests.)Access the WSO2 Identity Server dashboard.
Log in to the dashboard with the junior manager’s credentials.
Username: alex
Password: alex123Click on View Details button under Pending Approvals.
- Click on the task ID.
Approve the pending task and log out of junior manager’s profile.
Log in to the dashboard with senior manager’s credentials.
Username: cameron
Password: cameron123Click on View Details button under Pending Approvals.
Click on Task ID.
Approve the pending task and log out of the senior manager’s profile.
Log in to the Dispatch application with the new user's credentials.
...