Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This topic provides instructions on how to create a service provider and identity provider in the WSO2 Identity Server using configuration files which is typically used during the deployment stage. This is done so that multiple tenants in the Identity Server can have the same identity provider.

...

  1. Open the <SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/sso-idp-config.xml file and add the following configuration under the  <SSOIdentityProviderConfig>  properties
    <ServiceProviders>  tag. This adds thetravelocity application as a service provider.

    Code Block
    languagexml
    <ServiceProvider>
        <Issuer>travelocity.com</Issuer>
        <AssertionConsumerServiceURLs>
          <AssertionConsumerServiceURL>http://wso2is.local:8080/travelocity.com/home.jsp</AssertionConsumerServiceURL>
        </AssertionConsumerServiceURLs>
        <DefaultAssertionConsumerServiceURL>http://wso2is.local:8080/travelocity.com/home.jsp</DefaultAssertionConsumerServiceURL>
        <EnableSingleLogout>true</EnableSingleLogout>
        <SLOResponseURL></SLOResponseURL>
        <SLORequestURL></SLORequestURL>
        <SAMLDefaultSigningAlgorithmURI>http://www.w3.org/2000/09/xmldsig#rsa-sha1</SAMLDefaultSigningAlgorithmURI>
        <SAMLDefaultDigestAlgorithmURI>http://www.w3.org/2000/09/xmldsig#sha1</SAMLDefaultDigestAlgorithmURI>
        <SignResponse>true</SignResponse>
        <ValidateSignatures>false</ValidateSignatures>
        <EncryptAssertion>true</EncryptAssertion>
        <CertAlias></CertAlias>
        <EnableAttributeProfile>true</EnableAttributeProfile>
        <IncludeAttributeByDefault>true</IncludeAttributeByDefault>
        <ConsumingServiceIndex>2104589</ConsumingServiceIndex>
        <EnableAudienceRestriction>false</EnableAudienceRestriction>
        <AudiencesList>
          <Audience></Audience>
        </AudiencesList>
        <EnableRecipients>false</EnableRecipients>
        <RecipientList>
          <Recipient></Recipient>
        </RecipientList>
        <EnableIdPInitiatedSSO>false</EnableIdPInitiatedSSO>
        <EnableIdPInitSLO>false</EnableIdPInitSLO>
        <ReturnToURLList>
          <ReturnToURL></ReturnToURL>
        </ReturnToURLList>
    </ServiceProvider>
    Tip

    Tip: If the incoming SAML requests from the client (e.g., travelocity.com) are signed, and the service provider Identity Server instance needs to validate the signature included in the authentication and logout requests, do the following:

    1. Import the public certificate of the client to the primary keystore (e.g., wso2carbon.jks)
    2. Add the corresponding certificate alias name to the <CertAlias> property and set the <ValidateSignatures> property to true in the sso-idp-config.xml file.

    Note
    Warning

    To configure SAML Back-Channel Logout and SAML Front-Channel Logout described below, apply the 4062 WUM update to WSO2 IS 5.7.0 using the WSO2 Update Manager (WUM). To deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM in the WSO2 Administration Guide.

    In the above configuration, the single logout is supported by Back-Channel Logout. In order to use SAML Front-Channel Logout, add the following properties under <ServiceProvider> tag.

    To enable SAML Front-Channel Logout with HTTP Redirect Binding

    Code Block
    <EnableSingleLogout>true</EnableSingleLogout><EnableFrontChannelLogout>true</EnableFrontChannelLogout>
    <FrontChannelLogoutBinding>HTTPRedirectBinding</FrontChannelLogoutBinding>

    To enable SAML Front-Channel Logout with HTTP POST Binding

    Code Block
    <EnableSingleLogout>true</EnableSingleLogout><EnableFrontChannelLogout>true</EnableFrontChannelLogout>
    <FrontChannelLogoutBinding>HTTPPostBinding</FrontChannelLogoutBinding>
  2. Create a file named travelocity.com.xml in the <SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/service-providers directory.
  3. Add the following configurations into the travelocity.com.xml file you created. This adds the necessary SAML configurations to thetravelocity service provider.

    Note

    If you added the "SHARED_" prefix to the identity provider name when adding the identity provider, replace the  <IdentityProviderName>  value (found under the  <LocalAndOutBoundAuthenticationConfig>  element) in the travelocity.com.xml  file, with the following value.

    Code Block
    SHARED_identityProviderIDP_IS
    Code Block
    languagexml
    <ServiceProvider>
        <ApplicationID>3</ApplicationID>
        <ApplicationName>travelocity.com</ApplicationName>
        <Description>travelocity Service Provider</Description>
        <IsSaaSApp>true</IsSaaSApp>
        <InboundAuthenticationConfig>
            <InboundAuthenticationRequestConfigs>
                <InboundAuthenticationRequestConfig>
                    <InboundAuthKey>travelocity.com</InboundAuthKey>
                    <InboundAuthType>samlsso</InboundAuthType>
                    <Properties></Properties>
                </InboundAuthenticationRequestConfig>
            </InboundAuthenticationRequestConfigs>
        </InboundAuthenticationConfig>
      
        <LocalAndOutBoundAuthenticationConfig>
        <AuthenticationSteps>
            <AuthenticationStep>
                <StepOrder>1</StepOrder>
                <LocalAuthenticatorConfigs>
                    <LocalAuthenticatorConfig>
                        <Name>BasicAuthenticator</Name>
                        <DisplayName>basicauth</DisplayName>
                        <IsEnabled>true</IsEnabled>
                    </LocalAuthenticatorConfig>
                </LocalAuthenticatorConfigs>
                <FederatedIdentityProviders>
                    <IdentityProvider>
                        <IdentityProviderName>identityProviderIDP_IS</IdentityProviderName>
                        <IsEnabled>true</IsEnabled>
                        <DefaultAuthenticatorConfig>
                            <FederatedAuthenticatorConfigs>
                                <FederatedAuthenticatorConfig>
                                    <Name>SAMLSSOAuthenticator</Name>
                                    <DisplayName>samlsso</DisplayName>
                                    <IsEnabled>true</IsEnabled>
                                </FederatedAuthenticatorConfig>
                            </FederatedAuthenticatorConfigs>
                        </DefaultAuthenticatorConfig>
                    </IdentityProvider>
                </FederatedIdentityProviders>
                <SubjectStep>true</SubjectStep>
                <AttributeStep>true</AttributeStep>
            </AuthenticationStep>
        </AuthenticationSteps>
    	<subjectClaimUri> <!--selected URI --> </subjectClaimUri>
    </LocalAndOutBoundAuthenticationConfig>
        <RequestPathAuthenticatorConfigs></RequestPathAuthenticatorConfigs>
        <InboundProvisioningConfig></InboundProvisioningConfig>
        <OutboundProvisioningConfig></OutboundProvisioningConfig>
        <ClaimConfig>
            <AlwaysSendMappedLocalSubjectId>true</AlwaysSendMappedLocalSubjectId>
            <LocalClaimDialect>true</LocalClaimDialect><ClaimMappings><ClaimMapping><LocalClaim><ClaimUri>http://wso2.org/claims/givenname</ClaimUri></LocalClaim><RemoteClaim><ClaimUri>http://wso2.org/claims/givenName</ClaimUri>ClaimUri></RemoteClaim><RequestClaim>true</RequestClaim></ClaimMapping></ClaimMappings></ClaimConfig>    
        <PermissionAndRoleConfig></PermissionAndRoleConfig>
    </ServiceProvider>
  4. Restart the WSO2 Identity Server to apply the file-based configurations to the system. 

    Note

    Please note that the management console will not show the SP related configuration information if it is loaded through a file (as shown above)

...