This This section guides you through the configurations you can include in a service provider application.
...
Code Block | ||
---|---|---|
| ||
<xsd1:inboundAuthenticationConfig> <!--Zero or more repetitions:--> <xsd1:inboundAuthenticationRequestConfigs> <!--Optional:--> <xsd1:inboundAuthKey>issuer.1</xsd1:inboundAuthKey> <!--Optional:--> <xsd1:inboundAuthType>samlsso</xsd1:inboundAuthType> <!--Zero or more repetitions:--> <xsd1:properties> <!--Optional:--> <xsd1:name>attrConsumServiceIndex</xsd1:name> <!--Optional:--> <xsd1:value>354785936</xsd1:value> </xsd1:properties> </xsd1:inboundAuthenticationRequestConfigs> </xsd1:inboundAuthenticationConfig> |
Parameter | Type | Description |
---|---|---|
inboundAuthKey | String | Specify the issuer here, which is the unique identifier of the service provider. This is also the issuer value specified in the SAML Authentication Request issued by the service provider. |
inboundAuthType | String | For SAML 2.0 authentication type should be ‘samlsso’ |
Property Name | Property Value |
---|---|
attrConsumServiceIndex | This is the consumer service index. The service provider should send this in the SAML request to get attributes of the authenticated subject. |
|
Configuring OAuth/OpenID Connect
To add a Service Provider with OAuth capability, add an OAuth application through the OAuthAdminService
exposed at https://<IS_HOST>:<IS_PORT>/services/
OAuthAdminService
?wsdl.
The following sample request shows how to add the OAuth service. The registerOAuthApplicationData
function is used to add the OAuth service to the application.
Code Block | ||
---|---|---|
| ||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.oauth.identity.carbon.wso2.org/xsd"> <soapenv:Header/> <soapenv:Body> <xsd:registerOAuthApplicationData> <!--Optional:--> <xsd:application> <!--Optional:--> <xsd1:OAuthVersion>Oauth-2.0</xsd1:OAuthVersion> <!--Optional:--> <xsd1:applicationName>TestApp</xsd1:applicationName> <!--Optional:--> <xsd1:callbackUrl>http://localhost:8080/oauth2client</xsd1:callbackUrl> <!--Optional:--> <xsd1:grantTypes>authorization_code implicit password client_credentials refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer iwa:ntlm</xsd1:grantTypes> </xsd:application> </xsd:registerOAuthApplicationData> </soapenv:Body> </soapenv:Envelope> |
Once the OAuth application data is added, include the issuer details in the inbound authentication configurations. The inboundAuthKey
and oauthConsumerSecret
can be obtained by calling the getOAuthApplicationDataByAppName
function given in the OAuthAdminService
as seen in the request below.
Code Block | ||
---|---|---|
| ||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd"> <soapenv:Header/> <soapenv:Body> <xsd:getOAuthApplicationDataByAppName> <!--Optional:--> <xsd:appName>TestApp</xsd:appName> </xsd:getOAuthApplicationDataByAppName> </soapenv:Body> </soapenv:Envelope> |
The response of getOAuthApplicationDataByAppName
will contain the oauthConsumerKey
and oauthConsumerSecret
which is required to configure OAuth for the service provider.
Parameter | Type | Description |
---|---|---|
inboundAuthKey | String | OAuth Client Key |
inboundAuthType | String | For OAuth authentication type should be ‘oauth2 |
Property Name | Property Value |
---|---|
oauthConsumerSecret | OAuth client secret |
Code Block | ||
---|---|---|
| ||
<xsd1:inboundAuthenticationConfig> <!--Zero or more repetitions:--> <xsd1:inboundAuthenticationRequestConfigs> <!--Optional:--> <xsd1:inboundAuthKey>XhFbH1qEarpg0bqcGG_utaRa2wka</xsd1:inboundAuthKey> <!--Optional:--> <xsd1:inboundAuthType>oauth</xsd1:inboundAuthType> <!--Zero or more repetitions:--> <xsd1:properties> <!--Optional:--> <xsd1:name>oauthConsumerSecret</xsd1:name> <!--Optional:--> <xsd1:value>D3AARDfI6BRqls7k6eqiZk4J8QYa</xsd1:value> </xsd1:properties> </xsd1:inboundAuthenticationRequestConfigs> </xsd1:inboundAuthenticationConfig> |
Configuring WS-Trust Security Token service
To configure a service provider with the WS-Trust Security Token Service (STS), add a trusted service through the OAuthAdminService
exposed at https://<IS_HOST>:<IS_PORT>/services/STSAdminService?wsdl.
The following sample request shows how to add the STS service using the addTrustedService
function.
Code Block | ||
---|---|---|
| ||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.sts.security.carbon.wso2.org"> <soapenv:Header/> <soapenv:Body> <ser:addTrustedService> <!--Optional:--> <ser:serviceAddress>https://example.com</ser:serviceAddress> <!--Optional:--> <ser:certAlias>wso2carbon.cert</ser:certAlias> </ser:addTrustedService> </soapenv:Body> </soapenv:Envelope> |
Once the trusted service is registered, the service address can be included in the <inboundAuthenticationConfig>
element as the <inboundAuthKey>
.
Code Block | ||
---|---|---|
| ||
<xsd1:inboundAuthenticationConfig> <!--Zero or more repetitions:--> <xsd1:inboundAuthenticationRequestConfigs> <!--Optional:--> <xsd1:inboundAuthKey>https://example.com</xsd1:inboundAuthKey> <!--Optional:--> <xsd1:inboundAuthType>wstrust</xsd1:inboundAuthType> </xsd1:inboundAuthenticationRequestConfigs> </xsd1:inboundAuthenticationConfig> |
Parameter | Type | Description |
---|---|---|
inboundAuthKey | String | The endpoint address of the trusted service. |
inboundAuthType | String | For WS-Trust Security Token Service, the authentication type should be ‘wstrust’ |
Properties | Property | No specific properties to define |
Configuring WS-Federation (passive)
Code Block | ||
---|---|---|
| ||
<xsd1:inboundAuthenticationConfig> <!--Zero or more repetitions:--> <xsd1:inboundAuthenticationRequestConfigs> <!--Optional:--> <xsd1:inboundAuthKey>TestSP</xsd1:inboundAuthKey> <!--Optional:--> <xsd1:inboundAuthType>passivests</xsd1:inboundAuthType> </xsd1:inboundAuthenticationRequestConfigs> </xsd1:inboundAuthenticationConfig> |
Parameter | Type | Description |
---|---|---|
inboundAuthKey | String | Passive STS realm identifier |
inboundAuthType | String | For WS-Federation (Passive) Configuration, authentication type should be ‘passivests’ |
Properties | Property | No specific properties to define |
Configuring OpenID
Code Block | ||
---|---|---|
| ||
<xsd1:inboundAuthenticationConfig> <!--Zero or more repetitions:--> <xsd1:inboundAuthenticationRequestConfigs> <!--Optional:--> <xsd1:inboundAuthKey>TestSP</xsd1:inboundAuthKey> <!--Optional:--> <xsd1:inboundAuthType>openid</xsd1:inboundAuthType> </xsd1:inboundAuthenticationRequestConfigs> </xsd1:inboundAuthenticationConfig> |
Parameter | Type | Description |
---|---|---|
inboundAuthKey | String | OpenID realm identifier |
inboundAuthType | String | For OpenID Configuration, the authentication type should be openid |
Properties | Property | No specific properties to define |
...