Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

  1. Download and install OpenAM/OpenSSO (download the WAR file from here).
  2. Download the WSO2 product.

WSO2 products come with inbuilt SAML web-SSO authenticators. The steps necessary for configuration are the focus of this page. 

...

  1. Configure the sp.xml file. When doing this, keep the following in mind:

    Panel
    • The given sp.xml sample file uses https://localhost:9443/acs as the redirection URL. Configure it according to your environment: https://<carbonserverhot:port>/acs.
    • The EntityID element of the sp.xml should match the corresponding value of ServiceProviderID in the authenticators.xml file
    • The same values are used in single logout related parameters. However this is not tested in the single - logout feature with OpenSSO at the time of writing.

    The following is are the configurations used in the sp.xml file:

    Code Block
    <EntityDescriptor entityID="https://localhost:9443/acs" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
	<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false"  protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    	<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                         	Location="https://localhost:9443/acs/fedletSloRedirect"
                         	ResponseLocation="https://localhost:9443/acs/fedletSloRedirect"/>
    	<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                         	Location="https://localhost:9443/acs/fedletSloPOST"
                         	ResponseLocation="https://localhost:9443/acs/fedletSloPOST"/>
    	<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
                         	Location="https://localhost:9443/acs/fedletSloSoap"/>
    	<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    	<AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                              	Location="https://localhost:9443/acs"/>
    	<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                              	Location="https://localhost:9443/acs"/>
	</SPSSODescriptor>
	<RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                	xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
                	xsi:type="query:AttributeQueryDescriptorType"
                	protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"></RoleDescriptor>
	<XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false"
                    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"></XACMLAuthzDecisionQueryDescriptor>
</EntityDescriptor>
  2. Go to Common Tasks > Register Remote Service Provider and upload the file.
    1. Select sp.xml as the file to upload.
    2. Select a Circle of Trust configuration in the remote service provider.
  3. Go to Federation > Entity Providers in the OpenSSO management console and select the newly registered service provider.
  4. Select the response signing attribute.
     
  5. Under the NameID Format list, make sure you specify the ‘transient’ and ‘unspecified’ Name ID Formats.
     

...

    • ServiceProvideID - This can be any identifier and does not have to be a URL. However, the configured value should be equal to the value configured in the sp.xml file.
    • IdentityProviderSSOServiceURL - This is the URL of your IDP.
    • idpCertAlias - This is the certificate that gets used during response validation from the IDP. OpenSSO servers’ public key should be imported to the Carbon servers keystore with the alias name ‘opensso’.

Exporting/Importing Certificates

...