...
Enable SSO in the following configuration files, under the
ssoConfigurationsection:config.jsonfile, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/emm/configdirectory.store.jsonfile, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/store/configdirectory.publisher.jsonfile, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/configdirectory.Code Block "enabled" : true,
Configure the Identity Provider (IdP) in the following configuration files, under the
ssoConfigurationsection:Tip For example, you can use the following steps to configure WSO2 Identity Server (IS) as an Identity Provider (IdP). For more information on configuring IS, see enabling SSO for WSO2 servers.
config.jsonfile, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/emm/configdirectory.store.jsonfile, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/store/configdirectory.publisher.jsonfile, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/configdirectory.
Localtabgroup Localtab active true title config.json Code Block "identityProviderURL" : "%https.ip%/sso/samlsso.jag", "responseSigningEnabled" : "true", "keyStorePassword" : "wso2carbon", "identityAlias" : "wso2carbon", "keyStoreName" : "/repository/resources/security/wso2carbon.jks"
Localtab title store.json Code Block "identityProviderURL": "%https.host%/samlsso", "keyStorePassword": "wso2carbon", "identityAlias": "wso2carbon", "responseSigningEnabled": "true", "storeAcs" : "%https.host%/store/acs", "keyStoreName": "/repository/resources/security/wso2carbon.jks"
Localtab title publisher.json Code Block "identityProviderURL": "%https.host%/samlsso", "keyStorePassword": "wso2carbon", "identityAlias": "wso2carbon", "responseSigningEnabled": "true", "publisherAcs": "%https.host%/publisher/sso", "keyStoreName": "/repository/resources/security/wso2carbon.jks"
Expand title Click here for IdP related property definitions. The IdP related property definitions are as follows:
IdentityProviderURL- Provide the URL that defines where the user should navigate when signing in.keyStorePassword- Provide the Key Store password.identityAlias- Provide the Key Store identity alias or username.keyStoreName- Provide the Identity Providers (e.g., WSO2 IS) public key value.Info The
keyStorePasswordandidentityAliasare defined under<KeyStore>in thecarbon.xmlfile, which is in the<EMM_HOME>/repository/confdirectory.Expand title Click here for to view the KeyStore attributes. Code Block <KeyStore> <!-- Keystore file location--> <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location> <!-- Keystore type (JKS/PKCS12 etc.)--> <Type>JKS</Type> <!-- Keystore password--> <Password>wso2carbon</Password> <!-- Private Key alias--> <KeyAlias>wso2carbon</KeyAlias> <!-- Private Key password--> <KeyPassword>wso2carbon</KeyPassword> </KeyStore>storeAcs- Provide the Assertion Consumer URL, which is the redirecting URL, for the Store.publisherAcs- Provide the Assertion Consumer URL, which is the redirecting URL, for the Publisher.
Note By default, an Identity Provider (IdP) has been bundled with the EMM binary pack. If you wish to use this default IdP in EMM, modify the
host/ipto the Server IP. If you wish to use your own IdP, modify thehost/ipto your own IdP's host in the following files:Localtabgroup Localtab active true title config.json Update the
config.jsonfile, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/emm/configdirectory.Code Block "identityProviderURL" : "%https.ip%/sso/samlsso.jag",
Localtab title store.json Update the
store.jsonfile, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/store/configdirectory.Code Block "identityProviderURL": "%https.host%/samlsso",
Localtab title publisher.json Update the
publisher.jsonfile, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/configdirectory.Code Block "identityProviderURL": "%https.host%/samlsso",
Update the SSO related IDP configurations in the
sso-idp-config.xmlfile, which is in the<EMM_HOME>/repository/conf/identitydirectory, by updating all the entries that statelocalhostto your IDP's IP address or domain.Code Block <ServiceProvider> <Issuer>mdm</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/emm/sso/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/emm/sso/acs</DefaultAssertionConsumerServiceURL> <SignAssertion>true</SignAssertion> <SignResponse>true</SignResponse> <EnableAttributeProfile>false</EnableAttributeProfile> <IncludeAttributeByDefault>false</IncludeAttributeByDefault> <Claims> <Claim>http://wso2.org/claims/role</Claim> <Claim>http://wso2.org/claims/emailaddress</Claim> </Claims> <EnableSingleLogout>false</EnableSingleLogout> <SingleLogoutUrl /> <EnableAudienceRestriction>true</EnableAudienceRestriction> <EnableRecipients>true</EnableRecipients> <AudiencesList> <Audience>https://localhost:9443/oauth2/token</Audience> </AudiencesList> <RecipientList> <Recipient>https://localhost:9443/oauth2/token</Recipient> </RecipientList> <ConsumingServiceIndex /> </ServiceProvider> <ServiceProvider> <Issuer>store</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/store/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/store/acs</DefaultAssertionConsumerServiceURL> <SignResponse>true</SignResponse> <CustomLoginPage>/store/login.jag</CustomLoginPage> </ServiceProvider> <ServiceProvider> <Issuer>social</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/social/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/social/acs</DefaultAssertionConsumerServiceURL> <SignResponse>true</SignResponse> <CustomLoginPage>/social/login</CustomLoginPage> </ServiceProvider> <ServiceProvider> <Issuer>publisher</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/publisher/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/publisher/acs</DefaultAssertionConsumerServiceURL> <SignResponse>true</SignResponse> <CustomLoginPage>/publisher/controllers/login.jag</CustomLoginPage> </ServiceProvider>Running If you are running WSO2 EMM on a cluster setup or a virtual machine? If yes, you need to must configure the following fields under
<SSOConfiguration>in theapp-manager.xmlfile that is in the<EMM_HOME>/repository/confdirectory.IdentityProviderUrlproviderURL
Info - By default,
<EMM_HOST>islocalhost.However, if you are using a public IP, the respective IP address or domain needs to be specified. - By default,
<EMM_HTTPS_PORT>has been set to 9443. However, if the port offset has been incremented byn, the default port value needs to be incremented byn.
Code Block <!-- AppManager uses SAML SSO as default authentication mechanism for the web apps. Following configuration defines the configurations of the IDP which is used as the SSO provider. --> <SSOConfiguration> <!-- URL of the IDP use for SSO --> <IdentityProviderUrl>https://<EMM_HOST>:<EMM_HTTPS_PORT>/samlsso</IdentityProviderUrl> <Configurators> <Configurator> <name>wso2is</name> <version>5.0.0</version> <providerClass>org.wso2.carbon.appmgt.impl.idp.sso.configurator.IS500SAMLSSOConfigurator</providerClass> <parameters> <providerURL>https://<EMM_HOST>:<EMM_HTTPS_PORT></providerURL> <username>admin</username> <password>admin</password> </parameters> </Configurator> </Configurators> </SSOConfiguration>Enable authentication session persistence by uncommenting the following configuration in the
<EMM_HOME>/repository/conf/identity.xmlfile, under theServerandJDBCPersistenceManagerelements.Code Block <SessionDataPersist> <Enable>true</Enable> <RememberMePeriod>20160</RememberMePeriod> <CleanUp> <Enable>true</Enable> <Period>1440</Period> <TimeOut>20160</TimeOut> </CleanUp> <Temporary>false</Temporary> </SessionDataPersist>Expand title Click here for more information on the configurations. Configuration element Description EnableThis enables the persistence of session data. Therefore, this must be configured to
trueif you wish to enable session persistence.RememberMePeriodThis is the time period (in minutes) that the remember me option should be valid. After this time period, the users are logged out even if they enable the remember me option. The default value for this configuration element is 2 weeks.
CleanUpThis section of the configuration is related to the cleaning up of session data. The cleanup task runs on a daily basis (once a day) by default unless otherwise configured in the
Periodtag. When this cleanup task is executed, it removes session data that is older than 2 weeks, unless otherwise specified in theTimeOuttag.EnableSelecting true here enables the cleanup task and ensures that it starts running. PeriodThis is the time period (in minutes) that the cleanup task would run. The default value is 1 day.
TimeOutThis is the timeout value (in minutes) of the session data that is removed by the cleanup task. The default value is 2 weeks.
TemporarySetting this to
trueenables persistence of temporary caches that are created within an authentication request.
...