...
Follow the instructions below to configure general server configurations:
Configuring the monitoring frequency:
Configure
the monitoring frequency via the EMM console. For more information, see General Platform Configurations. If you configure the monitoring frequency via the EMM console, it will overwriteInfo the monitoring frequency
configuration doneby
editing thecdm-config.xml
file, as shown below.Configure theDeviceMonitorFrequency
configuring the
MonitorFrequency
parameter in thecdm-config.xml
file, which is in the<EMM_HOME>/repository/conf
directory. Specify this value in milliseconds. The EMM server uses this parameter to determine how often the devices enrolled with EMM need to be monitored. By default, this value has been configured to 60000ms (1min).Example:
<DeviceMonitorFrequency>60000<Code Block
DeviceMonitorFrequency>Uncomment the following code in the<MonitorFrequency>60000</
carbon.xml
file, which is in theMonitorFrequency>
Configure the following fields that are under theAnchor carbon.local.ip carbon.local.ip <APIKeyValidator>
tag in the<EMM_HOME>/repository/conf
directory, and enter your organization domain./api-manager.xml
file.Info This step is only required for applicable in the production environment.
Example:
Code Block <HostName>www.wso2.org</HostName> <MgtHostName>www.wso2.org</MgtHostName>
Anchor HTTPS HTTPS Enable HTTPS communication.Info - This step is only required for the production environment. Once enabled, the HTTP requests will be redirected to use HTTPS automatically.
- You will need to setup the BKS file in the android agent once HTTPS is enabled.
To enable HTTPS redirection for a specific web application, uncomment the following code in the respective web application's
web.xml
.
Example: Enable HTTPS redirection for the mdm-android-agent web app by navigating to the<WSO2_EMM>/repository/deployment/server/webapps/mdm-android-agent/WEB-INF/web.xml
file.Code Block <security-constraint> <web-resource-collection> <web-resource-name>MDM-Admin</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Configure the
<serverURL>
field by replacing${carbon.local.ip}
with the hostname or public IP of the production environment.Code Block <ServerURL>https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/</ServerURL>
Example:
Code Block <ServerURL>https://45.67.89.100:${mgt.transport.https.port}${carbon.context}/services/</ServerURL>
Configure the
<RevokeAPIURL>
field by replacing${carbon.local.ip}
with the hostname or public IP of the production environment.Code Block <RevokeAPIURL>https://${carbon.local.ip}:${https.nio.port}/revoke</RevokeAPIURL>
Example:
Code Block <RevokeAPIURL>https://45.67.89.100:${https.nio.port}/revoke</RevokeAPIURL>
Enable HTTPS communication.Anchor HTTPS HTTPS Info - This step is only required for the production environment. Once enabled, the HTTP requests will be redirected to use HTTPS automatically.
- You will need to setup the BKS file in the android agent once HTTPS is enabled.
To enable HTTPS redirection for a specific web application, uncomment the following code in the respective web application's
web.xml
.
Example: Enable HTTPS redirection for the mdm-android-agent web app by navigating to the<EMM_HOME>/repository/deployment/server/webapps/mdm-android-agent/WEB-INF/web.xml
file.Code Block <security-constraint> <web-resource-collection> <web-resource-name>MDM-Admin</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Anchor email email Configure the email client to send out registration confirmation emails through EMM to the respective users.Info In EMM, user registration confirmation emails are disabled by default, and the admin needs to provide the required configuration details to enable it.
Create an email account to send out emails to users that register with EMM (e.g., no-reply@foo.com).
Open the <EMM_To enable HTTPS redirection for the entire servlet container, configure the
web.xm
l file, which is in the<EMM_HOME>/repository/conf/axis2/axis2.xml
file, uncomment themailto
transportSender section, and configure the EMM email account. <transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender">Code Block tomcat
folder, by including the following:Code Block <security-constraint> <web-resource-collection> <parameter name="mail.smtp.host">smtp.gmail.com</parameter> <web-resource-name>MDM-Admin</web-resource-name> <parameter name="mail.smtp.port">587</parameter> <url-pattern>/*</url-pattern> <parameter name="mail.smtp.starttls.enable">true</parameter></web-resource-collection> <user-data-constraint> <parameter name="mail.smtp.auth">true</parameter> <parameter name="mail.smtp.user">synapse.demo.0</parameter> <transport-guarantee>CONFIDENTIAL</transport-guarantee> <parameter name="mail.smtp.password">mailpassword</parameter> <parameter name="mail.smtp.from">synapse.demo.0@gmail.com</parameter> </transportSender>
Info For
mail.smtp.from
,mail.smtp.user
, andmail.smtp.password
, use the email address, username, and password (respectively) from the mail account you set up.Example:
Code Block <transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender"> <parameter name="mail.smtp.host">smtp.gmail.com</parameter> <parameter name="mail.smtp.port">587</parameter> <parameter name="mail.smtp.starttls.enable">true</parameter> <parameter name="mail.smtp.auth">true</parameter></user-data-constraint> </security-constraint>
To enable HTTPS redirection for the entire servlet container, configure the web.xm
l file, which is in the wso2mdm-2.0.0-SNAPSHOT/repository/conf/tomcat
folder, by including the following:
WSO2 EMM email configurations
Anchor | ||||
---|---|---|---|---|
Info |
---|
In EMM, user registration confirmation emails are disabled by default, and the admin needs to provide the required configuration details to enable it. |
Create an email account to send out emails to users that register with EMM (e.g., no-reply@foo.com).
Note If you are using a Google mail account, you need to note that Google has restricted third party apps or less secure apps from sending emails. Therefore, you need to configure your account to enable this setting as WSO2 EMM acts as a third party application when sending emails to confirm user registrations or inviting existing users to register devices with WSO2 EMM.
Expand title Click here for more information. Follow the steps given below to enable your Google mail account to provide access to third party applications.
- Navigate to https://myaccount.google.com/security.
- Click Signing in to Google on the left menu and make sure that the 2-step Verification is disabled or off.
- Click Connected apps and sites on the left menu and enable Allow less secure apps.
Open the
<EMM_HOME>/repository/conf/axis2/axis2.xml
file, uncomment themailto
transportSender section, and configure the EMM email account.
user">foo<Code Block <transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender"> <parameter name="mail.smtp.
passwordhost">smtp.gmail.com</parameter> <parameter name="mail.smtp.
>$foo1234<port"
from">no-reply@foo.com</parameter> </transportSender>>587</parameter> <parameter name="mail.smtp.
- Customize the email that is being sent out by navigating to the
notification-messages.xml
file, which is in the<EMM_HOME>/repository/conf
directory. Customize the link being sent in the email to download the EMM application by navigating to the
cdm-config.xml
file, which is in the<EMM_HOME>/repository/conf
directory, and configuring the following fields under<EmailClientConfiguration>
.LBHostPortPrefix
: Provide the load balancer host and port prefix.enrollmentContextPath
: Provide the path to download the application.
Expand title Click here to view an example. Code Block <EmailClientConfiguration> <minimumThread>8</minimumThread> <maximumThread>100</maximumThread> <keepAliveTime>20</keepAliveTime> <ThreadQueueCapacity>1000</ThreadQueueCapacity> <LBHostPortPrefix>https://localhost:9443</LBHostPortPrefix> <enrollmentContextPath>/mdm/enrollment</enrollmentContextPath> </EmailClientConfiguration>
WSO2 EMM Jaggery apps configurations to enroll and manage devices
In WSO2 EMM, only Android and iOS platforms uses the agent to enroll devices with the EMM. The Windows platform uses the native workplace application to enroll devices with WSO2 EMM. Therefore, the following configurations steps are required only if you are registering or enrolling Android or iOS devices.
Follow the steps given below:
- Open the
config.json
file thatstarttls.enable">true</parameter> <parameter name="mail.smtp.auth">true</parameter> <parameter name="mail.smtp.user">synapse.demo.0</parameter> <parameter name="mail.smtp.password">mailpassword</parameter> <parameter name="mail.smtp.from">synapse.demo.0@gmail.com</parameter> </transportSender>
Info For
mail.smtp.from
,mail.smtp.user
, andmail.smtp.password
, use the email address, username, and password (respectively) from the mail account you set up.Example:
Code Block <transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender"> <parameter name="mail.smtp.host">smtp.gmail.com</parameter> <parameter name="mail.smtp.port">587</parameter> <parameter name="mail.smtp.starttls.enable">true</parameter> <parameter name="mail.smtp.auth">true</parameter> <parameter name="mail.smtp.user">foo</parameter> <parameter name="mail.smtp.password">$foo1234</parameter> <parameter name="mail.smtp.from">no-reply@foo.com</parameter> </transportSender>
Configure the email sender thread pool.
Navigate to theemail-sender-config.xml
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/
emm-web-agent/config
directory.Anchor emm-web-agent emm-web-agent Configure thehost
attribute that is undergeneralConfig
by providing the entire server address.Info You are required to configure this file as it is used to handle device enrollments.
Note - To download the EMM Android agent in a testing environment configure the host attribute using a HTTP URL, because the Android browser does not trust hosts with self signed certificates.
- To download the EMM Android agent in a production environment configure the host attribute using a HTTPS URL as the production server has a Certificate Authority (CA) installed with a valid SSL certificate. For more information on enabling HTTPS communication, see here.
Example:
Code Block "generalConfig" : { "host" : "http://localhost:9763", "companyName" : "WSO2 Enterprise Mobility Manager", "browserTitle" : "WSO2 EMM", "copyrightText" : "\u00A9 %date-year%, WSO2 Inc. (http://www.wso2.org) All Rights Reserved." }
- Open the
config.json
file that is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config
directory. Configure the
host
attribute that is undergeneralConfig
by providing the entire server address.Info You are required to configure this file as it is used to manage the devices.
Note In a clustered environment, configure the host attribute by providing the entire server address (by changing only the protocol to HTTPS and the port to the HTTPS port) that was given for the host attribute in the emm-web-agent's
config.json
file. This is required because the EMM configurations refer to the emm-web-agent app as it is used to handle device enrollments.Example:
"generalConfig" : { "host" : "https://localhost:9443", "companyName" : "WSO2 Enterprise Mobility Manager", "browserTitle" : "WSO2 EMMCode Block conf/etc
directory, and configure the following fields under<EmailSenderConfig>
.MinThreads
: Defines the minimum number of threads that needs to be available in the underlying thread pool when the email sender functionality is initialized.MaxThreads
: Defines the maximum number of threads that should serve email sending at any given time.KeepAliveDuration
: Defines the duration a connection should be kept alive. If the thread pool has initialized more connections than what was defined inMinThreads
, and they have been idle for more than theKeepAliveDuration
, those idle connections will be terminatedThreadQueueCapacity
: Defines the maximum concurrent email sending tasks that can be queued up.
Example:
Code Block <EmailSenderConfig> <MinThreads>8</MinThreads> <MaxThreads>100</MaxThreads> <KeepAliveDuration>20</KeepAliveDuration> <ThreadQueueCapacity>1000</ThreadQueueCapacity> </EmailSenderConfig>
Customize the email templates that are in the
<EMM_HOME>/repository/resources/email-templates
directory.Info The email templating functionality of WSO2 EMM is implemented on top of Apache Velocity, which is a free and open-source template engine.
- Open the email template that you wish to edit based on the requirement, such as the
user-invitation.
vm oruser-registration.
vm file. - Edit the
<Subject>
and<Body>
to suite your requirement. - Restart WSO2 EMM.
Tip If you need to access
HTTP
orHTTPS
base URLs of the server within your custom template configs, use the$base-url-http
and$base-url-https
variables, respectively.- Open the email template that you wish to edit based on the requirement, such as the
WSO2 EMM Jaggery apps configurations to enroll and manage devices
In WSO2 EMM, only Android and iOS platforms use the agent to enroll devices with the EMM. The Windows platform uses the native workplace application to enroll devices with WSO2 EMM. Therefore, the following configurations steps are required only if you are registering or enrolling Android or iOS devices.
Follow the steps given below:
Open the
config.json
file that is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/
emm-web-agent/config
directory.
Configure theAnchor emm-web-agent emm-web-agent host
attribute that is undergeneralConfig
by providing the entire server address.Info You are required to configure this file as it is used to handle device enrollments.
Note - To download the EMM Android agent in a testing environment configure the host attribute using an HTTP URL, because the Android browser does not trust hosts with self-signed certificates.
- To download the EMM Android agent in a production environment configure the host attribute using an HTTPS URL as the production server has a Certificate Authority (CA) installed with a valid SSL certificate. For more information on enabling HTTPS communication, see here.
Example:
Code Block "generalConfig" : { "host" : "http://10.10.10.182:9763", "companyName" : "WSO2 Enterprise Mobility Manager", "browserTitle" : "WSO2 EMM", "copyrightText" : "\u00A9 %date-year%, WSO2 Inc. (http://www.wso2.org) All Rights Reserved." }
WSO2 App Manager configurations to mange applications in WSO2 EMM
Follow the steps given below to configure WSO2 App Manager for the EMM:
- Open the
carbon.xml
file that is in the<EMM_HOME>/repository/con
f directory. Uncomment the
HostName
attribute and provide the server IP.
Default:Code Block <!--HostName>www.wso2.org</HostName-->
An example after the configuration:
Code Block <HostName>10.100.7.35</HostName>
Uncomment the
MgtHostName
attribute and provide the server IP.
Default:Code Block <!--MgtHostName>mgt.wso2.org</MgtHostName-->
An example after the configuration:
Code Block <MgtHostName>10.100.7.35</MgtHostName>
- Comment the uncommented ServerURL and uncomment the ServerURL attribute that was commented by default.
Configure the uncommented ServerURL as follows:- Provide
localhost
as the value for{carbon.local.ip}.
- Provide the
https
port as the value for{carbon.management.port}
.
By default the port is 9443. - Remove ${carbon.context}.
By default:
Code Block <ServerURL>local:/${carbon.context}/services/</ServerURL> <!-- <ServerURL>https://${carbon.local.ip}:${carbon.management.port}${carbon.context}/services/</ServerURL> -->
An example after the configuration:
Code Block <!--ServerURL>local:/${carbon.context}/services/</ServerURL--> <ServerURL>https://localhost:9443/services/</ServerURL>
- Provide
- Restart the WSO2 EMM server.
Login to the WSO2 App Manager publisher to publish application or WSO2 App Manager store to install apps on mobile devices.
Info - Access the WSO2 App Manager publisher:
- http://localhost:9763/publisher
- https://localhost:9443/publisher
- Access WSO2 App Manager store
- http://localhost:9763/store/
- https://localhost:9443/store
- Access the WSO2 App Manager publisher:
SSO configurations
Follow the steps given below to configure single sign-on (SSO) for EMM:
Enable SSO in the following configuration files, under the
ssoConfiguration
section:config.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config
directory.store.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/store/config
directory.publisher.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/config
directory.Code Block "enabled" : true,
Configure the Identity Provider (IdP) in the following configuration files, under the
ssoConfiguration
section:Tip For example, you can use the following steps to configure WSO2 Identity Server (IS) as an Identity Provider (IdP). For more information on configuring IS, see enabling SSO for WSO2 servers.
config.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config
directory.store.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/store/config
directory.publisher.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/config
directory.
Localtabgroup Localtab active true title config.json Code Block "identityProviderURL" : "%https.ip%/sso/samlsso.jag", "responseSigningEnabled" : "true", "keyStorePassword" : "wso2carbon", "identityAlias" : "wso2carbon", "keyStoreName" : "/repository/resources/security/wso2carbon.jks"
Localtab title store.json Code Block "identityProviderURL": "%https.host%/samlsso", "keyStorePassword": "wso2carbon", "identityAlias": "wso2carbon", "responseSigningEnabled": "true", "storeAcs" : "%https.host%/store/acs", "keyStoreName": "/repository/resources/security/wso2carbon.jks"
Localtab title publisher.json Code Block "identityProviderURL": "%https.host%/samlsso", "keyStorePassword": "wso2carbon", "identityAlias": "wso2carbon", "responseSigningEnabled": "true", "publisherAcs": "%https.host%/publisher/sso", "keyStoreName": "/repository/resources/security/wso2carbon.jks"
Expand title Click here for IdP related property definitions. The IdP related property definitions are as follows:
IdentityProviderURL
- Provide the URL that defines where the user should navigate when signing in.keyStorePassword
- Provide the Key Store password.identityAlias
- Provide the Key Store identity alias or username.keyStoreName
- Provide the Identity Providers (e.g., WSO2 IS) public key value.Info The
keyStorePassword
andidentityAlias
are defined under<KeyStore>
in thecarbon.xml
file, which is in the<EMM_HOME>/repository/conf
directory.Expand title Click here for to view the KeyStore attributes. Code Block <KeyStore> <!-- Keystore file location--> <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location> <!-- Keystore type (JKS/PKCS12 etc.)--> <Type>JKS</Type> <!-- Keystore password--> <Password>wso2carbon</Password> <!-- Private Key alias--> <KeyAlias>wso2carbon</KeyAlias> <!-- Private Key password--> <KeyPassword>wso2carbon</KeyPassword> </KeyStore>
storeAcs
- Provide the Assertion Consumer URL, which is the redirecting URL, for the Store.publisherAcs
- Provide the Assertion Consumer URL, which is the redirecting URL, for the Publisher.
Note By default, an Identity Provider (IdP) has been bundled with the EMM binary pack. If you wish to use this default IdP in EMM, modify the
host/ip
to the Server IP. If you wish to use your own IdP, modify thehost/ip
to your own IdP's host in the following files:Localtabgroup Localtab active true title config.json Update the
config.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config
directory.Code Block "identityProviderURL" : "%https.ip%/sso/samlsso.jag",
Localtab title store.json Update the
store.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/store/config
directory.Code Block "identityProviderURL": "%https.host%/samlsso",
Localtab title publisher.json Update the
publisher.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/config
directory.Code Block "identityProviderURL": "%https.host%/samlsso",
Update the SSO related IDP configurations in the
sso-idp-config.xml
file, which is in the<EMM_HOME>/repository/conf/identity
directory, by updating all the entries that statelocalhost
to your IDP's IP address or domain. <ServiceProvider> <Issuer>mdm</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/emm/sso/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/emm/sso/acs</DefaultAssertionConsumerServiceURL> <SignAssertion>true</SignAssertion> <SignResponse>true</SignResponse> <EnableAttributeProfile>false</EnableAttributeProfile> <IncludeAttributeByDefault>false</IncludeAttributeByDefault> <Claims> <Claim>http://wso2.org/claims/role</Claim> <Claim>http://wso2.org/claims/emailaddress</Claim> </Claims> <EnableSingleLogout>false</EnableSingleLogout> <SingleLogoutUrl /> <EnableAudienceRestriction>true</EnableAudienceRestriction> <EnableRecipients>true</EnableRecipients> <AudiencesList> <Audience>https://localhost:9443/oauth2/token</Audience> </AudiencesList> <RecipientList> <Recipient>https://localhost:9443/oauth2/token</Recipient> </RecipientList> <ConsumingServiceIndex /> </ServiceProvider> <ServiceProvider> <Issuer>store</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/store/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/store/acs</DefaultAssertionConsumerServiceURL> <SignResponse>true</SignResponse> <CustomLoginPage>/store/login.jag</CustomLoginPage> </ServiceProvider> <ServiceProvider> <Issuer>social</Issuer> <AssertionConsumerServiceURLs>Open theCode Block config.json
file that is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config
directory.Configure the
host
attribute that is undergeneralConfig
by providing the entire server address.Info You are required to configure this file as it is used to manage the devices.
Note In a clustered environment, configure the host attribute by providing the entire server address (by changing only the protocol to HTTPS and the port to the HTTPS port) that was given for the host attribute in the emm-web-agent's
config.json
file. This is required because the EMM configurations refer to the emm-web-agent app as it is used to handle device enrollments.Example:
Code Block "generalConfig" : { "host" : "https://10.10.10.128:9443", "companyName" : "WSO2 Enterprise Mobility Manager", "browserTitle" : "WSO2 EMM", "copyrightText" : "\u00A9 %date-year%, WSO2 Inc. (http://www.wso2.org) All Rights Reserved." }
WSO2 App Manager configurations to manage applications in WSO2 EMM
Follow the steps given below to configure WSO2 App Manager for the EMM:
- Open the
carbon.xml
file that is in the<EMM_HOME>/repository/con
f directory. Uncomment the
HostName
attribute and provide the server IP.
Default:Code Block <!--HostName>www.wso2.org</HostName-->
An example after the configuration:
Code Block <HostName>10.100.7.35</HostName>
Uncomment the
MgtHostName
attribute and provide the server IP.
Default:Code Block <!--MgtHostName>mgt.wso2.org</MgtHostName-->
An example after the configuration:
Code Block <MgtHostName>10.100.7.35</MgtHostName>
- Comment the uncommented ServerURL and uncomment the ServerURL attribute that was commented by default.
Configure the uncommented ServerURL as follows:- Provide
localhost
as the value for{carbon.local.ip}.
- Provide the
https
port as the value for{carbon.management.port}
.
By default, the port is 9443. - Remove
${carbon.context}
.
By default:
Code Block <ServerURL>local:/${carbon.context}/services/</ServerURL> <!-- <ServerURL>https://${carbon.local.ip}:${carbon.management.port}${carbon.context}/services/</ServerURL> -->
An example after the configuration:
Code Block <!--ServerURL>local:/${carbon.context}/services/</ServerURL--> <ServerURL>https://localhost:9443/services/</ServerURL>
- Provide
- Restart the WSO2 EMM server.
Login to the WSO2 App Manager publisher to publish application or WSO2 App Manager store to install apps on mobile devices.
Info - Access the WSO2 App Manager publisher:
- http://localhost:9763/publisher
- https://localhost:9443/publisher
- Access WSO2 App Manager store
- http://localhost:9763/store/
- https://localhost:9443/store
- Access the WSO2 App Manager publisher:
SSO configurations
Follow the steps given below to configure single sign-on (SSO) for EMM:
Enable SSO in the following configuration files, under the
ssoConfiguration
section:config.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config
directory.store.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/store/config
directory.publisher.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/config
directory.Code Block "enabled" : true,
Configure the Identity Provider (IdP) in the following configuration files, under the
ssoConfiguration
section:Tip For example, you can use the following steps to configure WSO2 Identity Server (IS) as an Identity Provider (IdP). For more information on configuring IS, see enabling SSO for WSO2 servers.
config.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config
directory.store.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/store/config
directory.publisher.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/config
directory.
Localtabgroup Localtab active true title config.json Code Block "identityProviderURL" : "%https.ip%/sso/samlsso.jag", "responseSigningEnabled" : "true", "keyStorePassword" : "wso2carbon", "identityAlias" : "wso2carbon", "keyStoreName" : "/repository/resources/security/wso2carbon.jks"
Localtab title store.json Code Block "identityProviderURL": "%https.host%/samlsso", "keyStorePassword": "wso2carbon", "identityAlias": "wso2carbon", "responseSigningEnabled": "true", "storeAcs" : "%https.host%/store/acs", "keyStoreName": "/repository/resources/security/wso2carbon.jks"
Localtab title publisher.json Code Block "identityProviderURL": "%https.host%/samlsso", "keyStorePassword": "wso2carbon", "identityAlias": "wso2carbon", "responseSigningEnabled": "true", "publisherAcs": "%https.host%/publisher/sso", "keyStoreName": "/repository/resources/security/wso2carbon.jks"
Expand title Click here for IdP related property definitions. The IdP related property definitions are as follows:
IdentityProviderURL
- Provide the URL that defines where the user should navigate when signing in.keyStorePassword
- Provide the Key Store password.identityAlias
- Provide the Key Store identity alias or username.keyStoreName
- Provide the Identity Providers (e.g., WSO2 IS) public key value.Info The
keyStorePassword
andidentityAlias
are defined under<KeyStore>
in thecarbon.xml
file, which is in the<EMM_HOME>/repository/conf
directory.Expand title Click here for to view the KeyStore attributes. Code Block <KeyStore> <!-- Keystore file location--> <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location> <!-- Keystore type (JKS/PKCS12 etc.)--> <Type>JKS</Type> <!-- Keystore password--> <Password>wso2carbon</Password> <!-- Private Key alias--> <KeyAlias>wso2carbon</KeyAlias> <!-- Private Key password--> <KeyPassword>wso2carbon</KeyPassword> </KeyStore>
storeAcs
- Provide the Assertion Consumer URL, which is the redirecting URL, for the Store.publisherAcs
- Provide the Assertion Consumer URL, which is the redirecting URL, for the Publisher.
Note By default, an Identity Provider (IdP) has been bundled with the EMM binary pack. If you wish to use this default IdP in EMM, modify the
host/ip
to the Server IP. If you wish to use your own IdP, modify thehost/ip
to your own IdP's host in the following files:Localtabgroup Localtab active true title config.json Update the
config.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/emm/config
directory.Code Block "identityProviderURL" : "%https.ip%/sso/samlsso.jag",
Localtab title store.json Update the
store.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/store/config
directory.Code Block "identityProviderURL": "%https.host%/samlsso",
Localtab title publisher.json Update the
publisher.json
file, which is in the<EMM_HOME>/repository/deployment/server/jaggeryapps/publisher/config
directory.Code Block "identityProviderURL": "%https.host%/samlsso",
Update the SSO related IDP configurations in the
sso-idp-config.xml
file, which is in the<EMM_HOME>/repository/conf/identity
directory, by updating all the entries that statelocalhost
to your IDP's IP address or domain.Code Block <ServiceProvider> <Issuer>mdm</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/emm/sso/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/emm/sso/acs</DefaultAssertionConsumerServiceURL> <SignAssertion>true</SignAssertion> <SignResponse>true</SignResponse> <EnableAttributeProfile>false</EnableAttributeProfile> <IncludeAttributeByDefault>false</IncludeAttributeByDefault> <Claims> <Claim>http://wso2.org/claims/role</Claim> <Claim>http://wso2.org/claims/emailaddress</Claim> </Claims> <EnableSingleLogout>false</EnableSingleLogout> <SingleLogoutUrl /> <EnableAudienceRestriction>true</EnableAudienceRestriction> <EnableRecipients>true</EnableRecipients> <AudiencesList> <Audience>https://localhost:9443/oauth2/token</Audience> </AudiencesList> <RecipientList> <AssertionConsumerServiceURL>https<Recipient>https://localhost:9443/socialoauth2/acs<token</AssertionConsumerServiceURL>Recipient> </AssertionConsumerServiceURLs>RecipientList> <DefaultAssertionConsumerServiceURL>https://localhost:9443/social/acs</DefaultAssertionConsumerServiceURL> <SignResponse>true</SignResponse> <CustomLoginPage>/social/login</CustomLoginPage> <ConsumingServiceIndex /> </ServiceProvider> <ServiceProvider> <Issuer>publisher<<Issuer>store</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/publisherstore/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/publisherstore/acs</DefaultAssertionConsumerServiceURL> <SignResponse>true</SignResponse> <CustomLoginPage>/publisherstore/controllers/login.jag</CustomLoginPage> </ServiceProvider>
Enable authentication session persistence by uncommenting the following configuration in the
<EMM_HOME>/repository/conf/identity.xml
file, under the theServer
andJDBCPersistenceManager
elements.Code Block <SessionDataPersist> <ServiceProvider> <Enable>true</Enable> <Issuer>social</Issuer> <RememberMePeriod>20160</RememberMePeriod> <AssertionConsumerServiceURLs> <CleanUp> <Enable>true</Enable><AssertionConsumerServiceURL>https://localhost:9443/social/acs</AssertionConsumerServiceURL> <Period>1440<</Period>AssertionConsumerServiceURLs> <TimeOut>20160</TimeOut> <DefaultAssertionConsumerServiceURL>https://localhost:9443/social/acs</DefaultAssertionConsumerServiceURL> <SignResponse>true</SignResponse> <CustomLoginPage>/social/login</CustomLoginPage> </CleanUp> <Temporary>false</Temporary> </SessionDataPersist>
Expand title Click here for more information on the configurations. Configuration element Description Enable
This enables the persistence of session data. Therefore, this must be configured to
true
if you wish to enable session persistence.RememberMePeriod
/ServiceProvider> <ServiceProvider> <Issuer>publisher</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>https://localhost:9443/publisher/acs</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>https://localhost:9443/publisher/acs</DefaultAssertionConsumerServiceURL> <SignResponse>true</SignResponse> <CustomLoginPage>/publisher/controllers/login.jag</CustomLoginPage> </ServiceProvider>
If you are running WSO2 EMM on a cluster setup or a virtual machine, you must configure the following fields under
<SSOConfiguration>
in theapp-manager.xml
file that is in the<EMM_HOME>/repository/conf
directory.IdentityProviderUrl
providerURL
Info - By default,
<EMM_HOST>
islocalhost.
However, if you are using a public IP, the respective IP address or domain needs to be specified. - By default,
<EMM_HTTPS_PORT>
has been set to 9443. However, if the port offset has been incremented byn
, the default port value needs to be incremented byn
.
Code Block <!-- AppManager uses SAML SSO as default authentication mechanism for the web apps. Following configuration defines the configurations of the IDP which is used as the SSO provider. --> <SSOConfiguration> <!-- URL of the IDP use for SSO --> <IdentityProviderUrl>https://<EMM_HOST>:<EMM_HTTPS_PORT>/samlsso</IdentityProviderUrl> <Configurators> <Configurator> <name>wso2is</name> <version>5.0.0</version> <providerClass>org.wso2.carbon.appmgt.impl.idp.sso.configurator.IS500SAMLSSOConfigurator</providerClass> <parameters> <providerURL>https://<EMM_HOST>:<EMM_HTTPS_PORT></providerURL> <username>admin</username> <password>admin</password> </parameters> </Configurator> </Configurators> </SSOConfiguration>
Enable authentication session persistence by uncommenting the following configuration in the
<EMM_HOME>/repository/conf/identity.xml
file, under theServer
andJDBCPersistenceManager
elements.Code Block <SessionDataPersist> <Enable>true</Enable> <RememberMePeriod>20160</RememberMePeriod> <CleanUp> <Enable>true</Enable> <Period>1440</Period> <TimeOut>20160</TimeOut> </CleanUp> <Temporary>false</Temporary> </SessionDataPersist>
Expand title Click here for more information on the configurations. Configuration element Description Enable
This enables the persistence of session data. Therefore, this must be configured to
true
if you wish to enable session persistence.RememberMePeriod
This is the time period (in minutes) that the remember me option should be valid. After this time period, the users are logged out even if they enable the remember me option. The default value for this configuration element is 2 weeks.
CleanUp
This section of the configuration is related to the cleaning up of session data. The cleanup task runs on a daily basis (once a day) by default unless otherwise configured in the
Period
tag. When this cleanup task is executed, it removes session data that is older than 2 weeks, unless otherwise specified in theTimeOut
tag.Enable
Selecting true here enables the cleanup task and ensures that it starts running. Period
This is the time period (in minutes) that the remember me option should be valid. After this time period, the users are logged out even if they enable the remember me optioncleanup task would run. The default value for this configuration element is 2 weeksis 1 day.
CleanUp
TimeOut
This section of the configuration is related to the cleaning up of session data. The cleanup task runs on a daily basis (once a day) by default unless otherwise configured in the
Period
tag. When this cleanup task is executed, it removes session data that is older than 2 weeks, unless otherwise specified in theTimeOut
tag.Enable
Selecting true here enables the cleanup task and ensures that it starts running. Period
This is the time period (in minutes) that the cleanup task would run. The default value is 1 day.
TimeOut
This is the timeout value (in minutes) of the session data that is removed by the cleanup task. The default value is 2 weeks.
Temporary
Setting this to
true
enables persistence of temporary caches that are created within an authentication requestthe timeout value (in minutes) of the session data that is removed by the cleanup task. The default value is 2 weeks.Temporary
Setting this to
true
enables persistence of temporary caches that are created within an authentication request.
What's next
- Do you want to register Android devices with WSO2 EMM? If yes, configure WSO2 EMM as explained in the Android Configurations guide.
- Do you want to register iOS devices with WSO2 EMM? If yes, configure WSO2 EMM as explained in the iOS Configurations guide.
- Do you want to register Windows devices with WSO2 EMM? If yes, configure WSO2 EMM as explained in the Windows Configurations guide.