Page Comparison

...

For example, let's take a common JDBC user store (MySQL) for both the WSO2 IS and WSO2 API Manager.

1. Download WSO2 API Manager 1.10.0 from here and unzip it. <APIM_HOME> refers to the root folder where WSO2 APIM was unzipped.

2. Create a MySQL database (e.g., 410_um_db) and run the <APIM_HOME>/dbscripts/mysql.sql script on it to create the required tables. 
   If you are using a different database type, find the relevant script from the <APIM_HOME>/dbscripts directory.

3. Open the <APIM_HOME>/repository/conf/datasources/master-datasources.xml file and add the datasource configuration for the database that you use for the shared user store and user management information. For example,

   Code Block
   language html/xml
   <datasource> <name>WSO2_UM_DB</name> <description>The datasource used for registry and user manager</description> <jndiConfig> <name>jdbc/WSO2UMDB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://localhost:3306/410_um_db</url> <username>username</username> <password>password</password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>50</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> </configuration> </definition> </datasource>

4. Add the same datasource configuration above to <IS_HOME>/repository/conf/datasources/master-datasources.xml file.

5. Copy the database driver JAR file to the <IS_HOME>/repository/components/lib and <APIM_HOME>/repository/components/lib directories.

6. Open the <APIMDownload WSO2 Identity Server (WSO2 IS) 5.1.0 from here and unzip it. <IS_HOME> refers to the root folder where WSO2 IS was unzipped.
   

   Tip
   If you plan on using WSO2 IS as Key Manager as well, you can download the WSO2 Identity Server 5.1.0 as a Key Manager pack, which has Key Manager features pre-packaged with WSO2 IS, from here.

7. Add the same datasource configuration above to <IS_HOME>/repository/conf/datasources/usermaster-mgtdatasources.xml file. The dataSource property points to the default H2 database. Change it to the

8. Copy the database driver JAR file to the <IS_HOME>/repository/components/lib and <APIM_HOME>/repository/components/lib directories.

9. Open the <APIM_HOME>/repository/conf/user-mgt.xml file. The dataSource property points to the default H2 database. Change it to the jndiConfig name given above (i.e., jdbc/WSO2UMDB). This changes the datasource reference that is pointing to the default H2 database.

   Code Block
   language html/xml
   <Realm> <Configuration> ... <Property name="dataSource">jdbc/WSO2UMDB</Property> </Configuration> ... </Realm>

10. Add the same configuration above to the <IS_HOME>/repository/conf/user-mgt.xml file.

11. The Identity Server has an embedded LDAP user store by default. As this is enabled by default, follow the instructions in Internal JDBC User Store Configuration to disable the default LDAP and enable the JDBC user store instead.

...

1. Create a MySQL database (e.g., registry) and run the <IS_HOME>/dbscripts/mysql.sql script on it to create the required tables. 
   If you are using a different database type, find the relevant script from the <IS_HOME>/dbscripts  directory.

2. Add the following datasource configuration to both the <IS_HOME>/repository/conf/datasources/master-datasources.xml and <APIM_HOME>/repository/conf/datasources/master-datasources.xml files.

   Code Block
   language xml
   <datasource> <name>WSO2REG_DB</name> <description>The datasource used for registry</description> <jndiConfig> <name>jdbc/WSO2REG_DB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://localhost:3306/registry?autoReconnect=true&amp;relaxAutoCommit=true&amp;</url> <username>apiuser</username> <password>apimanager</password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>50</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> </configuration> </definition> </datasource>

3. Create the registry mounts by inserting the following sections into the <IS_HOME>/repository/conf/registry.xml file.

   Tip
   When doing this change, do not replace the existing <dbConfig> for "wso2registry". Simply add the following configuration to the existing configurations.

   Code Block
   language xml
   <dbConfig name="govregistry"> <dataSource>jdbc/WSO2REG_DB</dataSource> </dbConfig> <remoteInstance url="https://localhost"> <id>gov</id> <dbConfig>govregistry</dbConfig> <readOnly>false</readOnly> <enableCache>true</enableCache> <registryRoot>/</registryRoot> </remoteInstance> <mount path="/_system/governance" overwrite="true"> <instanceId>gov</instanceId> <targetPath>/_system/governance</targetPath> </mount> <mount path="/_system/config" overwrite="true"> <instanceId>gov</instanceId> <targetPath>/_system/config</targetPath> </mount>

4. Repeat the above step in the <APIM_HOME>/repository/conf/registry.xml file as well.

Next, let us look at the SSO configurations. 

Configuring WSO2 Identity Server as a SAML 2.0 SSO Identity Provider

1. Start the IS server and log in to its as well.

Next, let us look at the SSO configurations. 

Configuring WSO2 Identity Server as a SAML 2.0 SSO Identity Provider

1. Start the WSO2 Identity Server.

   Code Block
   ./wso2server.sh -DportOffset=1

   Info
   title What is port offset?
   The port offset feature allows you to run multiple WSO2 products, multiple instances of a WSO2 product, or multiple WSO2 product clusters on the same server or virtual machine (VM). The port offset defines the number by which all ports defined in the runtime, such as the HTTP/S ports, will be offset. For example, if the HTTPS port is defined as 9443 and the portOffset is 1, the effective HTTPS port will be 9444.

2. Sign in to the WSO2 IS Management Console UI (https://localhost:9443/carbon).

   Tip
   If you use login signin pages that are hosted externally to log sign in to the Identity Server, give the absolute URLs of those login pages in the authenticators.xml and application-authenticators.xml files in the <IS_HOME>/repository/conf/identity directory.

3. Select Add under Service Providers menu.
   

4. Give a service provider name and click Register.
   

   Tip

   In a multi tenanted environment, for all tenants to be able to log in to the APIM Web applications, do the following: Click the SaaS Application option that appears after registering the service provider. If not, only users in the current tenant domain (the one you are defining the service provider in) will be allowed to log in to the Web application and you have to register new service providers for all Web applications (API Store and API Publisher in this case) from each tenant space separately. For example, let's say you have three tenants as TA, TB and TC and you register the service provider in TA only. If you tick the SaaS Application option, all users in TA, TB, TC tenant domains will be able to log in. Else, only users in TA will be able to log in. Add the following inside the <SSOService> element in the <IS_HOME>/repository/conf/identity/identity.xml file and restart the server. Code Block <SSOService> <UseAuthenticatedUserDomainCrypto>true</UseAuthenticatedUserDomainCrypto> ... </SSOService> If not, you get an exception as SAML response signature verification fails. Because the servers in a multi-tenanted environment interact with all tenants, all nodes should share the same user store. Therefore, make sure you have a shared registry (JDBC mount, WSO2 Governance Registry etc.) instance across all nodes.

5. You are navigated to the detailed configuration page. Expand SAML2 Web SSO Configuration inside the Inbound Authentication Configuration section. Click Configure.

6. Provide the configurations to register the API Publisher as the SSO service provider. These sample values may change depending in your configuration.

   • Issuer : API_PUBLISHER
   • Assertion Consumer URL : https://localhost:9443/publisher/jagg/jaggery_acs.jag. Change the IP and port accordingly. This is the URL for the acs page in your running publisher app.

   • Select the following options:

     • Enable Response Signing

     • Enable Signature Validation in Authentication Requests and Logout Requests

     • Enable Assertion Signing

     • Enable Single Logout

   • Click Register once done.

   For example:
   

7. Similarly, provide the configurations to register the API Store as the SSO service provider. These sample values may change depending in your configuration.

   • Issuer : API_STORE
   • Assertion Consumer URL :  https://localhost:9443/store/jagg/jaggery_acs.jag. Change the IP and port accordingly. This is the URL for the acs page in your running store app.
   • Select the following options:
     
     • Use fully qualified username in the NameID
     • Enable Response Signing
     • Enable Assertion Signing
     • Enable Single Logout
   • Click Register once done.
8. Make sure that the responseSigningEnabled element is set to true in both the following files:
   
   • <APIM_HOME>/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json

   • <APIM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json


     Info
     For more details on configuring WSO2 Identity Server 5.1.0 see, Configuring the service provider.

...