Versions Compared

Old Version 13

changes.mady.by.user Former user

Saved on

compared with

New Version 14

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Applies to:

...

By default WSO2 Servers use Basic Authentication basic authentication for its authentication purposes. However, in a Single-Sign-On (SSO) environment, we need to use SAML-based Authentication authentication to authenticate users to WSO2 Serversservers. The following needs to be done in order to enable SSO:

...

We need to do two main configurations at the Application Server. Changing the port configuration and changing the Authenticator configurationconfiguration in the <PRODUCT_HOME>/repository/conf/security/authenticators.xml file.

Port Configuration

  1. Download the WSO2 Application Server from here.
  2. Extract the .zip file. Locate the carbon.xml file in the This unzipped folder which is found in the path: is referred to as <AS_HOME> in this topic.
  3. Navigate to the <AS_HOME>/repository/conf/carbon.xml file in the unzipped folder. 
  4. Open the carbon.xml file and search for the following configuration: <offset>0</offset>
  5. Change the offset value from 0 to 1.
  6. Save the carbon.xml file and close it.

Authenticators Configuration

  1. Locate the authenticators.xml file which can be found in the path: Navigate to the <AS_HOME>/repository/conf/security/authenticators.xml file. 

  2. Open the authenticators.xml file and set the "disabled" attribute value to "false" for the SAML2SSOAuthenticator configuration.Image Modified

    Info
    titleAdditional configuration

    When the cluster is hosted on the cloud or on a remote server, the IdentityProviderSSOServiceURL tag must be changed in the <PRODUCT_HOME>/repository/conf/security/authenticators.xml file. This should point to the host URL of the load balancer of the cluster. This is done because the authentication is done by the WSO2 Identity Server cluster and the load balancer will decide where the authentication request is sent to.

Configuring WSO2 Enterprise Service Bus

Similar to the Application Server we need to configure the port and the authenticator of ESBthe WSO2 Enterprise Service Bus.

Port Configuration

  1. Download the WSO2 ESB from here and extract it. This unzipped folder is referred to as <ESB_HOME> in this topic.
  2. Similar to the WSO2 Application Server, open the <ESB_HOME>/repository/conf/carbon.xml file  file and change the port offset to 2.

Authenticators Configuration

  1. Follow the exact same steps did done for the WSO2 Application Server and enable the SAML2SSOAuthenticator.Now we need to do another configuration. We need to change  in the <ESB_HOME>/repository/conf/security/authenticators.xml file.

  2. Change the ServiceProviderID. This ID is used by the Identity Server to identify the ESB's requests. Change this value to carbonServer2.
    Image Modified

    Info
    titleAdditional configuration

    When the cluster is hosted on the cloud or on a remote server, the IdentityProviderSSOServiceURL tag must be changed in the <PRODUCT_HOME>/repository/conf/security/authenticators.xml file. This should point to the host URL of the load balancer of the cluster. This is done because the authentication is done by the WSO2 Identity Server cluster and the load balancer will decide where the authentication request is sent to.

Configuring WSO2 Governance Registry

...

  1. Download the WSO2 Governance Registry from here.
  2. Set the port offset to 3.

Authenticators Configuration

...

  1. Download the WSO2 Identity Server from here.
  2. Extract the .zip file.
  3. Open a terminal and navigate to the <IS_HOME>/bin folder.
  4. Start the Identity Server using the wso2server.sh file in Unix or wso2server.bat file in Windows.
  5. Once the server is started, visit the following URL: https://localhost:9443/carbon/
  6. Sign in to the WSO2 Identity Server. Enter your username and password to log on to the Management Console
  7. Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.
     

  8. Fill in the Service Provider Name and provide a brief Description of the service provider in the resulting screen. If the service provider configuration is used by tenants as well, you must select the SaaS Application checkbox.

    Tip

    Tip: By default, the SaaS Application checkbox is disabled, which means the web application is not shared among tenants so only users in the current tenant (the one you use to define the service provider) will be allowed to log into the web application. Alternatively, if you enabled the SaaS Application checkbox, that means this web application is shared among tenants so users from any tenant will be allowed to log into the web application. For example, if there are three tenants, namely TA, TB and TC and the service provider is registered and configured only in TA.

    • If the SaaS Application configuration is disabled, only users in TA are able to log into the web application.

    • If the SaaS Application configuration is enabled, all TA, TB, TC users are able to log into the web application.

  9. Expand the SAML2 Web SSO Configuration under Inbound Authentication Configuration.
     
  10. Click Configure. Fill in the form that appears.
  11. Fill up this page with the following configurations. You must register different service providers for WSO2 Application Server, WSO2 ESB and WSO2 Governance Registry.

    1. Use the following configurations for WSO2 Application Server and add them to the relevant sections in the New Service Provider screen:

      Panel

      Issuer: carbonServer

      Assertion Consumer URL: https://localhost:9444/acs

      Use fully qualified username in the NameID

      Enable Response Signing

      Enable Assertion Signing

      Enable Single Logout

    2. Use the following values to register the WSO2 ESB:

      Panel

      Issuer : carbonServer2

      Assertion Consumer URL : https://localhost:9445/acs

      Use fully qualified username in the NameID

      Enable Response Signing

      Enable Assertion Signing

      Enable Single Logout

    3. Use the following values to register the WSO2 Governance Registry.

      Panel

      Issuer : carbonServer3

      Assertion Consumer URL : https://localhost:9446/acs

      Use fully qualified username in the NameID

      Enable Response Signing

      Enable Assertion Signing

      Enable Single Logout

    4. Make a note of the following when you are using tenant configurations. This can be done in all the WSO2 Carbon servers.

      Note
      titleAdditional configurations

      If you need to sign the SAML response using an authenticated user's tenant keystore, please add the following configuration. (By default, the response is signed using the certificate that belongs to the tenant where the service provider is registered). This property must be added if the SAML authenticator version in the WSO2 Carbon products that you are using is 4.2.2 or higher (org.wso2.carbon.identity.authenticator.saml2.sso_4.2.2.jar).

      Add the <UseAuthenticatedUserDomainCrypto> property available in the <IS_HOME>/repository/conf/identity.xml file as shown below.

      Code Block
      languagexml
      <SSOService>
...
	<UseAuthenticatedUserDomainCrypto>true<UseAuthenticatedUserDomainCrypto><UseAuthenticatedUserDomainCrypto>true</UseAuthenticatedUserDomainCrypto>
</SSOService>

  12. Click Register to save the values and register each service provider created.

...