Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagexml
titleidentityProviderIDP_IS.xml
<IdentityProvider>
	<IdentityProviderName>identityProviderIDP_IS</IdentityProviderName>
	<DisplayName>identityProviderIDP_IS</DisplayName>
	<IdentityProviderDescription></IdentityProviderDescription>
	<Alias>https://localhost:9444/oauth2/token/</Alias>
	<IsPrimary></IsPrimary>
	<IsEnabled>true</IsEnabled>
	<IsFederationHub></IsFederationHub>
	<HomeRealmId></HomeRealmId>
	<ProvisioningRole></ProvisioningRole>
	<FederatedAuthenticatorConfigs>
		<saml2>
			<Name>SAMLSSOAuthenticator</Name>
			<DisplayName>samlsso</DisplayName>
			<IsEnabled>true</IsEnabled>
			<Properties>
				<property>
					<Name>IdpEntityId<<Name>IdPEntityId</Name>
					<Value>identiryProviderIDP</Value>
				</property>
				<property>
					<Name>IsLogoutEnabled</Name>
					<Value>true</Value>
				</property>
				<property>
					<Name>SPEntityId</Name>
					<Value>travelocitySP</Value>
				</property>
				<property>
					<Name>SSOUrl</Name>
					<Value>https://localhost:9444/samlsso/</Value>
				</property>
				<property>
					<Name>isAssertionSigned</Name>
					<Value>false</Value>
				</property>
				<property>
					<Name>commonAuthQueryParams</Name>
					<Value></Value>
				</property>
				<property>
					<Name>IsUserIdInClaims</Name>
					<Value>false</Value>
				</property>
				<property>
					<Name>IsLogoutReqSigned</Name>
					<Value>false</Value>
				</property>
				<property>
					<Name>IsAssertionEncrypted</Name>
					<Value>false</Value>
				</property>
				<property>
					<Name>IsAuthReqSigned</Name>
					<Value>false</Value>
				</property>
				<property>
					<Name>IsAuthnRespSigned</Name>
					<Value>false</Value>
				</property>
				<property>
					<Name>LogoutReqUrl</Name>
					<Value>false</Value>
				</property>
			</Properties>
		</saml2>
	</FederatedAuthenticatorConfigs>
	<DefaultAuthenticatorConfig>SAMLSSOAuthenticator</DefaultAuthenticatorConfig>
	<ProvisioningConnectorConfigs>
	</ProvisioningConnectorConfigs>
	<DefaultProvisioningConnectorConfig></DefaultProvisioningConnectorConfig>
	<ClaimConfig></ClaimConfig>
	<Certificate></Certificate>
	<PermissionAndRoleConfig></PermissionAndRoleConfig>
	<JustInTimeProvisioningConfig></JustInTimeProvisioningConfig>
</IdentityProvider>
Tip

Tip: When studying the above configurations, you can identify the Service Provider Entity Id in the following code snippet.

Code Block
languagexml
<property>
	<Name>SPEntityId</Name>
	<Value>travelocitySP</Value>
</property>

Here, travelocitySP must be the same value as the value configured as the Issuer in the identity provider IS .

About certificates: The following is a sample command if the identity provider is WSO2 Identity Server where you can export the public certificate in PEM format.

Code Block
keytool -exportcert -alias wso2carbon -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon -rfc -file ispublic_crt.pem
Then, you can open the certificate file with a notepad so you see the certificate value. Copy this certificate value and put in the file within the <Certificate> tag.
Please note that above is only if the identity provider is the WSO2 Identity Server. If the identity provider is a third party IDP, then you can get the certificate in PEM format and read the value. You need to copy the entire content of the PEM file and place it between the <Certificate> tags.
...
  1. Open the <SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/sso-idp-config.xml file and add the following configuration under the  <SSOIdentityProviderConfig>  properties 
     <ServiceProviders>  tag. This adds thetravelocity the Travelocity application as a service provider.
     Code Block
    languagexml
    <ServiceProvider>
    <Issuer>travelocity.com</Issuer>
    <AssertionConsumerServiceURLs>
      <AssertionConsumerServiceURL>http://wso2is.local:8080/travelocity.com/home.jsp</AssertionConsumerServiceURL>
    </AssertionConsumerServiceURLs>
    <DefaultAssertionConsumerServiceURL>http://wso2is.local:8080/travelocity.com/home.jsp</DefaultAssertionConsumerServiceURL>
    <EnableSingleLogout>true</EnableSingleLogout>
    <SLOResponseURL></SLOResponseURL>
    <SLORequestURL></SLORequestURL>
    <SAMLDefaultSigningAlgorithmURI>http://www.w3.org/2000/09/xmldsig#rsa-sha1</SAMLDefaultSigningAlgorithmURI>
    <SAMLDefaultDigestAlgorithmURI>http://www.w3.org/2000/09/xmldsig#sha1</SAMLDefaultDigestAlgorithmURI>
    <SignResponse>true</SignResponse>
    <ValidateSignatures>true<<ValidateSignatures>false</ValidateSignatures>
    <EncryptAssertion>true</EncryptAssertion>
    <CertAlias></CertAlias>
    <EnableAttributeProfile>true</EnableAttributeProfile>
    <IncludeAttributeByDefault>true</IncludeAttributeByDefault>
    <ConsumingServiceIndex>2104589</ConsumingServiceIndex>
    <EnableAudienceRestriction>false</EnableAudienceRestriction>
    <AudiencesList>
      <Audience></Audience>
    </AudiencesList>
    <EnableRecipients>false</EnableRecipients>
    <RecipientList>
      <Recipient></Recipient>
    </RecipientList>
    <EnableIdPInitiatedSSO>false</EnableIdPInitiatedSSO>
    <EnableIdPInitSLO>false</EnableIdPInitSLO>
    <ReturnToURLList>
      <ReturnToURL></ReturnToURL>
    </ReturnToURLList>
</ServiceProvider>
     Tip
    Tip: If the incoming SAML requests from the client (e.g., travelocity.com) are signed, and the service provider Identity Server instance needs to validate the signature included in the authentication and logout requests, do the following:
    1. Import the public certificate of the client to the primary keystore (e.g., wso2carbon.jks)
    2. Add the corresponding certificate alias name to the <CertAlias> property and set the <ValidateSignatures> property to true in the sso-idp-config.xml file.
  2. Create a file named travelocity.com.xml in the <SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/service-providers directory.
  3. Add the following configurations into the travelocity.com.xml file you created. This adds the necessary SAML configurations to thetravelocity service provider.
     Note
    If you added the "SHARED_" prefix to the identity provider name when adding the identity provider, replace the  <IdentityProviderName>  value (found under the  <LocalAndOutBoundAuthenticationConfig>  element) in the travelocity.com.xml  file, with the following value.
     Code Block
    SHARED_identityProviderIDP_IS
     Code Block
    languagexml
    <ServiceProvider>
    <ApplicationID>3</ApplicationID>
    <ApplicationName>travelocity.com</ApplicationName>
    <Description>travelocity Service Provider</Description>
    <IsSaaSApp>true</IsSaaSApp>
    <InboundAuthenticationConfig>
        <InboundAuthenticationRequestConfigs>
            <InboundAuthenticationRequestConfig>
                <InboundAuthKey>travelocity.com</InboundAuthKey>
                <InboundAuthType>samlsso</InboundAuthType>
                <Properties></Properties>
            </InboundAuthenticationRequestConfig>
        </InboundAuthenticationRequestConfigs>
    </InboundAuthenticationConfig>
  
    <LocalAndOutBoundAuthenticationConfig>
    <AuthenticationSteps>
        <AuthenticationStep>
            <StepOrder>1</StepOrder>
            <LocalAuthenticatorConfigs>
                <LocalAuthenticatorConfig>
                    <Name>BasicAuthenticator</Name>
                    <DisplayName>basicauth</DisplayName>
                    <IsEnabled>true</IsEnabled>
                </LocalAuthenticatorConfig>
            </LocalAuthenticatorConfigs>
            <FederatedIdentityProviders>
                <IdentityProvider>
                    <IdentityProviderName>identityProviderIDP_IS</IdentityProviderName>
                    <IsEnabled>true</IsEnabled>
                    <DefaultAuthenticatorConfig>
                        <FederatedAuthenticatorConfigs>
                            <FederatedAuthenticatorConfig>
                                <Name>SAMLSSOAuthenticator</Name>
                                <DisplayName>samlsso</DisplayName>
                                <IsEnabled>true</IsEnabled>
                            </FederatedAuthenticatorConfig>
                        </FederatedAuthenticatorConfigs>
                    </DefaultAuthenticatorConfig>
                </IdentityProvider>
            </FederatedIdentityProviders>
            <SubjectStep>true</SubjectStep>
            <AttributeStep>true</AttributeStep>
        </AuthenticationStep>
    </AuthenticationSteps>
	<subjectClaimUri> <!--selected URI --> </subjectClaimUri>
</LocalAndOutBoundAuthenticationConfig>
    <RequestPathAuthenticatorConfigs></RequestPathAuthenticatorConfigs>
    <InboundProvisioningConfig></InboundProvisioningConfig>
    <OutboundProvisioningConfig></OutboundProvisioningConfig>
    <ClaimConfig>
        <AlwaysSendMappedLocalSubjectId>true</AlwaysSendMappedLocalSubjectId>
        <LocalClaimDialect>true</LocalClaimDialect><ClaimMappings><ClaimMapping><LocalClaim><ClaimUri>http://wso2.org/claims/givenname</ClaimUri></LocalClaim><RemoteClaim><ClaimUri>http://wso2.org/claims/givenName</ClaimUri>ClaimUri></RemoteClaim><RequestClaim>true</RequestClaim></ClaimMapping></ClaimMappings></ClaimConfig>    
    <PermissionAndRoleConfig></PermissionAndRoleConfig>
</ServiceProvider>
  4. Restart the WSO2 Identity Server to apply the file-based configurations to the system. 
     Note
    Please note that the management console will not show the SP related configuration information if it is loaded through a file (as shown above)
...