Versions Compared

Old Version 15

changes.mady.by.user Former user

Saved on

compared with

New Version 16

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Applies to:

...

  1. Navigate to the <AS_HOME>/repository/conf/security/authenticators.xml file. 

  2. Open the authenticators.xml file and set the "disabled" attribute value to "false" for the SAML2SSOAuthenticator configuration.

    Info
    titleAdditional configuration

    When the cluster is hosted on the cloud or on a remote server, the IdentityProviderSSOServiceURL tag must be changed in the <PRODUCT_HOME>/repository/conf/security/authenticators.xml file. This should point to the host URL of the load balancer of the cluster. This is done because the authentication is done by the WSO2 Identity Server cluster and the load balancer will decide where the authentication request is sent to.

    From WSO2 Identity Server 5.0.0 onwards, there are different SAML endpoints for each tenant. If the service provider calls the identity provider's SAML endpoint URL as https://is.com:9443/samlsso?tenantDomain=foo.com or the issuer name is appended with @<TenantDomain> like travelocity.com@foo.com, the SAML requests are directed to the foo.com tenant.

    The VerifySignatureWithUserDomain property is used to make the most recent Carbon-based products switch behaviour to expect SAML responses in the previous way. I.e., if this is set as true, it means that the SAML response is verified with the tenant's key that the authenticated user is belongs to. If it is set to false it means that the SAML response is verified with the tenant's key to which the SAML request is directed to. This can be set in the <PRODUCT_HOME>/repository/conf/security/authenticators.xml file.

    Code Block
    languagexml
    <VerifySignatureWithUserDomain>true</VerifySignatureWithUserDomain>

Configuring WSO2 Enterprise Service Bus

...

  1. Follow the exact same steps done for the WSO2 Application Server and enable the SAML2SSOAuthenticator in the <ESB_HOME>/repository/conf/security/authenticators.xml file.

  2. Change the ServiceProviderID. This ID is used by the Identity Server to identify the ESB's requests. Change this value to carbonServer2.

    Info
    titleAdditional configuration

    When the cluster is hosted on the cloud or on a remote server, the IdentityProviderSSOServiceURL tag must be changed in the <PRODUCT_HOME>/repository/conf/security/authenticators.xml file. This should point to the host URL of the load balancer of the cluster. This is done because the authentication is done by the WSO2 Identity Server cluster and the load balancer will decide where the authentication request is sent to.

    From WSO2 Identity Server 5.0.0 onwards, there are different SAML endpoints for each tenant. If the service provider calls the identity provider's SAML endpoint URL as https://is.com:9443/samlsso?tenantDomain=foo.com or the issuer name is appended with @<TenantDomain> like travelocity.com@foo.com, the SAML requests are directed to the foo.com tenant.

     

    The VerifySignatureWithUserDomain property is used to make the most recent Carbon-based products switch behaviour to expect SAML responses in the previous way. I.e., if this is set as true, it means that the SAML response is verified with the tenant's key that the authenticated user is belongs to. If it is set to false it means that the SAML response is verified with the tenant's key to which the SAML request is directed to. This can be set in the <PRODUCT_HOME>/repository/conf/security/authenticators.xml file.

     

    Code Block
    languagexml
    <VerifySignatureWithUserDomain>true</VerifySignatureWithUserDomain>


Configuring WSO2 Governance Registry

...