Single sign-on (SSO) allows users, who are authenticated against one application, gain access to multiple other related applications as well without having to repeatedly authenticate themselves. It also allows the web applications gain access to a set of back-end services with the logged-in user's access rights, and the back-end services can authorize the user based on different claims like user role.
...
1. Open the <AM_HOME>/repository/conf/datasources/master-datasources.xml file and add the datasource configuration for the relevant database. See example below.
| Code Block | ||
|---|---|---|
| ||
<datasource>
<name>WSO2_UM_DB</name>
<description>The datasource used for registry and user manager</description>
<jndiConfig>
<name>jdbc/WSO2UMDB</name>
</jndiConfig>
<definition type="RDBMS">
<configuration>
<url>jdbc:mysql://localhost:3306/410_um_db</url>
<username>username</username>
<password>password</password>
<driverClassName>com.mysql.jdbc.Driver</driverClassName>
<maxActive>50</maxActive>
<maxWait>60000</maxWait>
<testOnBorrow>true</testOnBorrow>
<validationQuery>SELECT 1</validationQuery>
<validationInterval>30000</validationInterval>
</configuration>
</definition>
</datasource> |
Note : You need to place the relevant database driver jar file in the <AM_HOME>/repository/components/lib directory.
Note : To create the database schema, you can use the relevant script found in the <AM_HOME>/dbscripts directory.
2. Add the same datasource configuration in the <IS_HOME>/repository/conf/datasources/master-datasources.xml file.
Note: You need to place the relevant database driver jar file in the <IS_HOME>/repository/components/lib directory.
3. Open the <AM_HOME>/repository/conf/user-mgt.xml file and change its 'dataSource' property name to the jndiConfig name given above (jdbc/WSO2UMDB).
Ex: <Property name="dataSource">jdbc/WSO2UMDB</Property>
4. Have the same configuration as above in the <IS_HOME>/repository/conf/user-mgt.xml file as well.
5. The WSO2 Identity Server has an embedded LDAP user store by default. Follow the instructions on Internal JDBC User Store Configuration to disable the default LDAP and to use the JDBC User Store instead.
6. Open the <IS_HOME>/repository/conf/security/application-authenticators.xml and change the 'loginPage' IP and port, accordingly.
SSO configuration instructions are given below.
| Table of Contents | ||||
|---|---|---|---|---|
|
Configuring WSO2 Identity Server as a SAML 2.0 SSO Identity Provider
1. Download and set up WSO2 Identity Server. Instructions can be found in the Installation Guide of IS documentation (http://docs.wso2.org/wiki/display/IS410/Installation+Guide).
2. Start the IS server and log in to its Management Console UI.
3. Select the SAML SSO menu under the Main menu in the left pane.
4. The SAML SSO window opens. Add the following configurations under section Register New Service Provider to register the API Manager applications as SSO service providers. Use the exact same values, which were used to configure the API Manager web applications.
To register API Publisher as an SSO service provider:
- Issuer : API_PUBLISHER
- Assertion Consumer URL : https://localhost:9443/publisher/jagg/jaggery_acs.jag. Change the IP and port accordingly. This is the url for the acs page in your running publisher app.
Select the options Use fully qualified username in the SAML Response, Enable Response Signing, Enable Assertion Signing and Enable Single Logout.
- Click Register once done.
...
- Issuer : API_STORE
- Assertion Consumer URL : https://localhost:9443/store/jagg/jaggery_acs.jag. Change the IP and port accordingly. This is the url for the acs page in your running store app.
Select the options Use fully qualified username in the SAML Response, Enable Response Signing, Enable Assertion Signing and Enable Single Logout.
- Click Register once done.
...
3. Enter user credentials. If the user authentication is successful against WSO2 IS, it will redirect to the API Publisher web application with the user already authenticated. Next, access
4. Access the API Store application, click its Login link and verify that the same user is already authenticated in API Store as well.
...