...
Code Block | ||||
---|---|---|---|---|
| ||||
<IdentityProvider> <IdentityProviderName>identityProviderIDP_IS</IdentityProviderName> <DisplayName>identityProviderIDP_IS</DisplayName> <IdentityProviderDescription></IdentityProviderDescription> <Alias>https://localhost:9444/oauth2/token/</Alias> <IsPrimary></IsPrimary> <IsEnabled>true</IsEnabled> <IsFederationHub></IsFederationHub> <HomeRealmId></HomeRealmId> <ProvisioningRole></ProvisioningRole> <FederatedAuthenticatorConfigs> <saml2> <Name>SAMLSSOAuthenticator</Name> <DisplayName>samlsso</DisplayName> <IsEnabled>true</IsEnabled> <Properties> <property> <Name>IdpEntityId<<Name>IdPEntityId</Name> <Value>identiryProviderIDP</Value> </property> <property> <Name>IsLogoutEnabled</Name> <Value>true</Value> </property> <property> <Name>SPEntityId</Name> <Value>travelocitySP</Value> </property> <property> <Name>SSOUrl</Name> <Value>https://localhost:9444/samlsso/</Value> </property> <property> <Name>isAssertionSigned</Name> <Value>false</Value> </property> <property> <Name>commonAuthQueryParams</Name> <Value></Value> </property> <property> <Name>IsUserIdInClaims</Name> <Value>false</Value> </property> <property> <Name>IsLogoutReqSigned</Name> <Value>false</Value> </property> <property> <Name>IsAssertionEncrypted</Name> <Value>false</Value> </property> <property> <Name>IsAuthReqSigned</Name> <Value>false</Value> </property> <property> <Name>IsAuthnRespSigned</Name> <Value>false</Value> </property> <property> <Name>LogoutReqUrl</Name> <Value>false</Value> </property> </Properties> </saml2> </FederatedAuthenticatorConfigs> <DefaultAuthenticatorConfig>SAMLSSOAuthenticator</DefaultAuthenticatorConfig> <ProvisioningConnectorConfigs> </ProvisioningConnectorConfigs> <DefaultProvisioningConnectorConfig></DefaultProvisioningConnectorConfig> <ClaimConfig></ClaimConfig> <Certificate></Certificate> <PermissionAndRoleConfig></PermissionAndRoleConfig> <JustInTimeProvisioningConfig></JustInTimeProvisioningConfig> </IdentityProvider> |
Tip | ||||||||
---|---|---|---|---|---|---|---|---|
Tip: When studying the above configurations, you can identify the Service Provider Entity Id in the following code snippet.
Here, About certificates: The following is a sample command if the identity provider is WSO2 Identity Server where you can export the public certificate in PEM format.
Then, you can open the certificate file with a notepad so you see the certificate value. Copy this certificate value and put in the file within the <Certificate> tag. Please note that above is only if the identity provider is the WSO2 Identity Server. If the identity provider is a third party IDP, then you can get the certificate in PEM format and read the value. You need to copy the entire content of the PEM file and place it between the <Certificate> tags. |
...
Open the
<SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/sso-idp-config.xml
file and add the following configuration under the<SSOIdentityProviderConfig>
properties
<ServiceProviders>
tag. This adds thetravelocity the Travelocity application as a service provider.Code Block language xml <ServiceProvider> <Issuer>travelocity.com</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>http://wso2is.local:8080/travelocity.com/home.jsp</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>http://wso2is.local:8080/travelocity.com/home.jsp</DefaultAssertionConsumerServiceURL> <EnableSingleLogout>true</EnableSingleLogout> <SLOResponseURL></SLOResponseURL> <SLORequestURL></SLORequestURL> <SAMLDefaultSigningAlgorithmURI>http://www.w3.org/2000/09/xmldsig#rsa-sha1</SAMLDefaultSigningAlgorithmURI> <SAMLDefaultDigestAlgorithmURI>http://www.w3.org/2000/09/xmldsig#sha1</SAMLDefaultDigestAlgorithmURI> <SignResponse>true</SignResponse> <ValidateSignatures>true<<ValidateSignatures>false</ValidateSignatures> <EncryptAssertion>true</EncryptAssertion> <CertAlias></CertAlias> <EnableAttributeProfile>true</EnableAttributeProfile> <IncludeAttributeByDefault>true</IncludeAttributeByDefault> <ConsumingServiceIndex>2104589</ConsumingServiceIndex> <EnableAudienceRestriction>false</EnableAudienceRestriction> <AudiencesList> <Audience></Audience> </AudiencesList> <EnableRecipients>false</EnableRecipients> <RecipientList> <Recipient></Recipient> </RecipientList> <EnableIdPInitiatedSSO>false</EnableIdPInitiatedSSO> <EnableIdPInitSLO>false</EnableIdPInitSLO> <ReturnToURLList> <ReturnToURL></ReturnToURL> </ReturnToURLList> </ServiceProvider>
Tip Tip: If the incoming SAML requests from the client (e.g.,
travelocity.com
) are signed, and the service provider Identity Server instance needs to validate the signature included in the authentication and logout requests, do the following:- Import the public certificate of the client to the primary keystore (e.g.,
wso2carbon.jks
) Add the corresponding certificate alias name to the
<CertAlias>
property and set the<ValidateSignatures>
property to true in thesso-idp-config.xml
file.
- Import the public certificate of the client to the primary keystore (e.g.,
- Create a file named
travelocity.com.xml
in the<SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/service-providers
directory. Add the following configurations into the
travelocity.com.xml
file you created. This adds the necessary SAML configurations to thetravelocity service provider.Note If you added the "SHARED_" prefix to the identity provider name when adding the identity provider, replace the
<IdentityProviderName>
value (found under the<LocalAndOutBoundAuthenticationConfig>
element) in thetravelocity.com.xml
file, with the following value.Code Block SHARED_identityProviderIDP_IS
Code Block language xml <ServiceProvider> <ApplicationID>3</ApplicationID> <ApplicationName>travelocity.com</ApplicationName> <Description>travelocity Service Provider</Description> <IsSaaSApp>true</IsSaaSApp> <InboundAuthenticationConfig> <InboundAuthenticationRequestConfigs> <InboundAuthenticationRequestConfig> <InboundAuthKey>travelocity.com</InboundAuthKey> <InboundAuthType>samlsso</InboundAuthType> <Properties></Properties> </InboundAuthenticationRequestConfig> </InboundAuthenticationRequestConfigs> </InboundAuthenticationConfig> <LocalAndOutBoundAuthenticationConfig> <AuthenticationSteps> <AuthenticationStep> <StepOrder>1</StepOrder> <LocalAuthenticatorConfigs> <LocalAuthenticatorConfig> <Name>BasicAuthenticator</Name> <DisplayName>basicauth</DisplayName> <IsEnabled>true</IsEnabled> </LocalAuthenticatorConfig> </LocalAuthenticatorConfigs> <FederatedIdentityProviders> <IdentityProvider> <IdentityProviderName>identityProviderIDP_IS</IdentityProviderName> <IsEnabled>true</IsEnabled> <DefaultAuthenticatorConfig> <FederatedAuthenticatorConfigs> <FederatedAuthenticatorConfig> <Name>SAMLSSOAuthenticator</Name> <DisplayName>samlsso</DisplayName> <IsEnabled>true</IsEnabled> </FederatedAuthenticatorConfig> </FederatedAuthenticatorConfigs> </DefaultAuthenticatorConfig> </IdentityProvider> </FederatedIdentityProviders> <SubjectStep>true</SubjectStep> <AttributeStep>true</AttributeStep> </AuthenticationStep> </AuthenticationSteps> <subjectClaimUri> <!--selected URI --> </subjectClaimUri> </LocalAndOutBoundAuthenticationConfig> <RequestPathAuthenticatorConfigs></RequestPathAuthenticatorConfigs> <InboundProvisioningConfig></InboundProvisioningConfig> <OutboundProvisioningConfig></OutboundProvisioningConfig> <ClaimConfig> <AlwaysSendMappedLocalSubjectId>true</AlwaysSendMappedLocalSubjectId> <LocalClaimDialect>true</LocalClaimDialect><ClaimMappings><ClaimMapping><LocalClaim><ClaimUri>http://wso2.org/claims/givenname</ClaimUri></LocalClaim><RemoteClaim><ClaimUri>http://wso2.org/claims/givenName</ClaimUri>ClaimUri></RemoteClaim><RequestClaim>true</RequestClaim></ClaimMapping></ClaimMappings></ClaimConfig> <PermissionAndRoleConfig></PermissionAndRoleConfig> </ServiceProvider>
Restart the WSO2 Identity Server to apply the file-based configurations to the system.
Note Please note that the management console will not show the SP related configuration information if it is loaded through a file (as shown above)
...