Applies to:
...
- Navigate to the
<AS_HOME>/repository/conf/security/authenticators.xml
file. Open the authenticators.xml file and set the "
disabled
" attribute value to "false
" for theSAML2SSOAuthenticator
configuration.Info title Additional configuration When the cluster is hosted on the cloud or on a remote server, the
IdentityProviderSSOServiceURL
tag must be changed in the<PRODUCT_HOME>/repository/conf/security/authenticators.xml
file. This should point to the host URL of the load balancer of the cluster. This is done because the authentication is done by the WSO2 Identity Server cluster and the load balancer will decide where the authentication request is sent to.From WSO2 Identity Server 5.0.0 onwards, there are different SAML endpoints for each tenant. If the service provider calls the identity provider's SAML endpoint URL as https://is.com:9443/samlsso?tenantDomain=foo.com or the issuer name is appended with @<TenantDomain> like travelocity.com@foo.com, the SAML requests are directed to the foo.com tenant.
The
VerifySignatureWithUserDomain
property is used to make the most recent Carbon-based products switch behaviour to expect SAML responses in the previous way. I.e., if this is set astrue
, it means that the SAML response is verified with the tenant's key that the authenticated user is belongs to. If it is set tofalse
it means that the SAML response is verified with the tenant's key to which the SAML request is directed to. This can be set in the<PRODUCT_HOME>/repository/conf/security/authenticators.xml
file.Code Block language xml <VerifySignatureWithUserDomain>true</VerifySignatureWithUserDomain>
Configuring WSO2 Enterprise Service Bus
...
- Follow the exact same steps done for the WSO2 Application Server and enable the
SAML2SSOAuthenticator
in the<ESB_HOME>/repository/conf/security/authenticators.xml
file. Change the
ServiceProviderID
. This ID is used by the Identity Server to identify the ESB's requests. Change this value tocarbonServer2
.Info title Additional configuration When the cluster is hosted on the cloud or on a remote server, the
IdentityProviderSSOServiceURL
tag must be changed in the<PRODUCT_HOME>/repository/conf/security/authenticators.xml
file. This should point to the host URL of the load balancer of the cluster. This is done because the authentication is done by the WSO2 Identity Server cluster and the load balancer will decide where the authentication request is sent to.From WSO2 Identity Server 5.0.0 onwards, there are different SAML endpoints for each tenant. If the service provider calls the identity provider's SAML endpoint URL as https://is.com:9443/samlsso?tenantDomain=foo.com or the issuer name is appended with @<TenantDomain> like travelocity.com@foo.com, the SAML requests are directed to the foo.com tenant.
The
VerifySignatureWithUserDomain
property is used to make the most recent Carbon-based products switch behaviour to expect SAML responses in the previous way. I.e., if this is set astrue
, it means that the SAML response is verified with the tenant's key that the authenticated user is belongs to. If it is set tofalse
it means that the SAML response is verified with the tenant's key to which the SAML request is directed to. This can be set in the<PRODUCT_HOME>/repository/conf/security/authenticators.xml
file.Code Block language xml <VerifySignatureWithUserDomain>true</VerifySignatureWithUserDomain>
Configuring WSO2 Governance Registry
...