This topic provides instructions on how to create a service provider and identity provider in the WSO2 Identity Server using configuration files which is typically used during the deployment stage. This is done so that multiple tenants in the Identity Server can have the same identity provider.
...
Info | |||||
---|---|---|---|---|---|
| |||||
Do the following steps to setup set up the two WSO2 Identity Server instances for the scenario.
|
Now you have setup set up the Identity Server instances so you can proceed with the configuration steps.
...
- Start the
identity provider IS
and access the Management Console. - Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.
- Fill in the Service Provider Name and provide a brief Description of the service provider. For the purposes of this scenario, enter the Service Provider Name as
ServiceProviderSP_IS
. - Click Register to add the service provider.
- Expand the Inbound Authentication and SAML2 Web SSO Configuration sections and click Configure.
Do the following configurations.
Configurations to be done Description Issuer:
travelocitySP
This must be the same as the value you enter for the Service Provider Entity Id when configuring the identity provider in the
service provider IS
.Assertion Consumer URL: https://localhost:9443/commonauth This is the URL to which the browser should be redirected to after the authentication is successful. This is the Assertion Consumer Service (ACS) URL of the service provider. The identity provider redirects the SAML2 response to this URL. However, if the SAML2 request is signed and SAML2 request contains the ACS URL, the Identity Server will honor the ACS URL of the SAML2 request. It should be defined in this format: https://(host-name):(port)/acs. Use fully qualified username in the NameID A fully qualified username is basically the username with the user store domain. In short, the username must be in the following format: {user store domain}{user name}
.Enable Single Logout When single logout is enabled, the identity provider sends logout requests to all service providers. Basically, the identity provider acts according to the single logout profile. - Click Register to save your changes.
...
Code Block | ||||
---|---|---|---|---|
| ||||
<IdentityProvider> <IdentityProviderName>identityProviderIDP_IS</IdentityProviderName> <DisplayName>identityProviderIDP_IS</DisplayName> <IdentityProviderDescription></IdentityProviderDescription> <Alias>https://localhost:9444/oauth2/token/</Alias> <IsPrimary></IsPrimary> <IsEnabled>true</IsEnabled> <IsFederationHub></IsFederationHub> <HomeRealmId></HomeRealmId> <ProvisioningRole></ProvisioningRole> <FederatedAuthenticatorConfigs> <saml2> <Name>SAMLSSOAuthenticator</Name> <DisplayName>samlsso</DisplayName> <IsEnabled>true</IsEnabled> <Properties> <property> <Name>IdpEntityId<<Name>IdPEntityId</Name> <Value>identiryProviderIDP</Value> </property> <property> <Name>IsLogoutEnabled</Name> <Value>true</Value> </property> <property> <Name>SPEntityId</Name> <Value>travelocitySP</Value> </property> <property> <Name>SSOUrl</Name> <Value>https://localhost:9444/samlsso/</Value> </property> <property> <Name>isAssertionSigned</Name> <Value>false</Value> </property> <property> <Name>commonAuthQueryParams</Name> <Value></Value> </property> <property> <Name>IsUserIdInClaims</Name> <Value>false</Value> </property> <property> <Name>IsLogoutReqSigned</Name> <Value>false</Value> </property> <property> <Name>IsAssertionEncrypted</Name> <Value>false</Value> </property> <property> <Name>IsAuthReqSigned</Name> <Value>false</Value> </property> <property> <Name>IsAuthnRespSigned</Name> <Value>false</Value> </property> <property> <Name>LogoutReqUrl</Name> <Value>false</Value> </property> </Properties> </saml2> </FederatedAuthenticatorConfigs> <DefaultAuthenticatorConfig>SAMLSSOAuthenticator</DefaultAuthenticatorConfig> <ProvisioningConnectorConfigs> </ProvisioningConnectorConfigs> <DefaultProvisioningConnectorConfig></DefaultProvisioningConnectorConfig> <ClaimConfig></ClaimConfig> <Certificate></Certificate> <PermissionAndRoleConfig></PermissionAndRoleConfig> <JustInTimeProvisioningConfig></JustInTimeProvisioningConfig> </IdentityProvider> |
Tip | ||||||||
---|---|---|---|---|---|---|---|---|
Tip: When studying the above configurations, you can identify the Service Provider Entity Id in the following code snippet.
Here, About certificates: The following is a sample command if the identity provider is WSO2 Identity Server where you can export the public certificate in PEM format.
Then, you can open the certificate file with a notepad so you see the certificate value. Copy this certificate value and put in the file within the <Certificate> tag. Please note that above is only if the identity provider is the WSO2 Identity Server. If the identity provider is a third party IDP, then you can get the certificate in PEM format and read the value. You need to copy the entire content of the PEM file and place it between within the |
Adding the service provider in the service provider IS
...
Open the
<SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/sso-idp-config.xml
file and add the following configuration under the<SSOIdentityProviderConfig>
properties<ServiceProviders>
tag<ServiceProviders>
tag of the<SSOIdentityProviderConfig>
property. This adds the travelocity application as a service provider.
Create a file named travelocity.com.Code Block language xml <ServiceProvider> <Issuer>travelocity.com</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>http://wso2is.local:8080/travelocity.com/home.jsp</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>http://wso2is.local:8080/travelocity.com/home.jsp</DefaultAssertionConsumerServiceURL> <EnableSingleLogout>true</EnableSingleLogout> <SLOResponseURL></SLOResponseURL> <SLORequestURL></SLORequestURL> <SAMLDefaultSigningAlgorithmURI>http://www.w3.org/2000/09/xmldsig#rsa-sha1</SAMLDefaultSigningAlgorithmURI> <SAMLDefaultDigestAlgorithmURI>http://www.w3.org/2000/09/xmldsig#sha1</SAMLDefaultDigestAlgorithmURI> <SignResponse>true</SignResponse> <ValidateSignatures>true</ValidateSignatures> <EncryptAssertion>true</EncryptAssertion> <CertAlias></CertAlias> <EnableAttributeProfile>true</EnableAttributeProfile> <IncludeAttributeByDefault>true</IncludeAttributeByDefault> <ConsumingServiceIndex>2104589</ConsumingServiceIndex> <EnableAudienceRestriction>false</EnableAudienceRestriction> <AudiencesList> <Audience></Audience> </AudiencesList> <EnableRecipients>false</EnableRecipients> <RecipientList> <Recipient></Recipient> </RecipientList> <EnableIdPInitiatedSSO>false</EnableIdPInitiatedSSO> <EnableIdPInitSLO>false</EnableIdPInitSLO> <ReturnToURLList> <ReturnToURL></ReturnToURL> </ReturnToURLList> </ServiceProvider>
Note Warning To configure SAML Back-Channel Logout and SAML Front-Channel Logout described below, apply the 3904 WUM update to WSO2 IS 5.3.0 using the WSO2 Update Manager (WUM). To deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM in the WSO2 Administration Guide. In the above configuration, the single logout is supported by Back-Channel Logout. In order to use SAML Front-Channel Logout, add the following properties under <ServiceProvider> tag.
To enable SAML Front-Channel Logout with HTTP Redirect Binding
Code Block <EnableSingleLogout>true</EnableSingleLogout> <EnableFrontChannelLogout>true</EnableFrontChannelLogout> <FrontChannelLogoutBinding>HTTPRedirectBinding</FrontChannelLogoutBinding>
To enable SAML Front-Channel Logout with HTTP POST Binding
Code Block <EnableSingleLogout>true</EnableSingleLogout> <EnableFrontChannelLogout>true</EnableFrontChannelLogout> <FrontChannelLogoutBinding>HTTPPostBinding</FrontChannelLogoutBinding>
- Create a file named
travelocity.com.xml
in the<SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/service-providers
directory. Add the following configurations into the
travelocity.com.xml
file you created. This adds the necessary SAML configurations to the travelocity service provider.Note If you added the "SHARED_" prefix to the identity provider name when adding the identity provider, replace the
<IdentityProviderName>
value (found under the<LocalAndOutBoundAuthenticationConfig>
element) in thetravelocity.com.xml
file, with the following value.Code Block SHARED_identityProviderIDP_IS
Code Block language xml <ServiceProvider> <ApplicationID>3</ApplicationID> <ApplicationName>travelocity.com</ApplicationName> <Description>travelocity Service Provider</Description> <IsSaaSApp>true</IsSaaSApp> <InboundAuthenticationConfig> <InboundAuthenticationRequestConfigs> <InboundAuthenticationRequestConfig> <InboundAuthKey>travelocity.com</InboundAuthKey> <InboundAuthType>samlsso</InboundAuthType> <Properties></Properties> </InboundAuthenticationRequestConfig> </InboundAuthenticationRequestConfigs> </InboundAuthenticationConfig> <LocalAndOutBoundAuthenticationConfig> <AuthenticationSteps> <AuthenticationStep> <StepOrder>1</StepOrder> <LocalAuthenticatorConfigs> <LocalAuthenticatorConfig> <Name>BasicAuthenticator</Name> <DisplayName>basicauth</DisplayName> <IsEnabled>true</IsEnabled> </LocalAuthenticatorConfig> </LocalAuthenticatorConfigs>>LocalAuthenticatorConfigs> <FederatedIdentityProviders> <IdentityProvider> <IdentityProviderName>identityProviderIDP_IS</IdentityProviderName> <IsEnabled>true</IsEnabled> <DefaultAuthenticatorConfig> <FederatedAuthenticatorConfigs> <FederatedAuthenticatorConfig> <Name>SAMLSSOAuthenticator</Name> <DisplayName>samlsso</DisplayName> <IsEnabled>true</IsEnabled> </FederatedAuthenticatorConfig> </FederatedAuthenticatorConfigs> </DefaultAuthenticatorConfig> </IdentityProvider> </FederatedIdentityProviders> <SubjectStep>true</SubjectStep> <AttributeStep>true</AttributeStep> </AuthenticationStep> </AuthenticationSteps> </LocalAndOutBoundAuthenticationConfig> <RequestPathAuthenticatorConfigs></RequestPathAuthenticatorConfigs> <InboundProvisioningConfig></InboundProvisioningConfig> <OutboundProvisioningConfig></OutboundProvisioningConfig> <ClaimConfig> <AlwaysSendMappedLocalSubjectId>true</AlwaysSendMappedLocalSubjectId> <LocalClaimDialect>true</LocalClaimDialect><ClaimMappings><ClaimMapping><LocalClaim><ClaimUri>http://wso2.org/claims/givenname</ClaimUri></LocalClaim><RemoteClaim><ClaimUri>http://wso2.org/claims/givenName</ClaimUri>ClaimUri></RemoteClaim><RequestClaim>true</RequestClaim></ClaimMapping></ClaimMappings></ClaimConfig> <PermissionAndRoleConfig></PermissionAndRoleConfig> </ServiceProvider>
Restart the WSO2 Identity Server to apply the file-based configurations to the system.
Note Please note that the management console will not show the SP related configuration information if it is loaded through a file (as shown above)
Running the travelocity application
...