Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This topic provides instructions on how to create a service provider and identity provider in the WSO2 Identity Server using configuration files which is typically used during the deployment stage. This is done so that multiple tenants in the Identity Server can have the same identity provider.

...

Info
titleBefore you begin

Do the following steps to setup set up the two WSO2 Identity Server instances for the scenario.

  1. Download and install the two Identity Server instances.
  2. In the <IDENTITY_PROVIDER_IS_HOME>/repository/conf/carbon.xml file, locate the Offset element and change this to 1. This is done to increment the port values in the identity provider IS so that there is no port conflict with the service provider IS . Port conflicts occur when multiple WSO2 product instances run on the same machine.

    Code Block
    languagexml
    <Offset>1</Offset>

Now you have setup set up the Identity Server instances so you can proceed with the configuration steps.

...

Code Block
languagexml
titleidentityProviderIDP_IS.xml
<IdentityProvider>
	<IdentityProviderName>identityProviderIDP_IS</IdentityProviderName>
	<DisplayName>identityProviderIDP_IS</DisplayName>
	<IdentityProviderDescription></IdentityProviderDescription>
	<Alias>https://localhost:9444/oauth2/token/</Alias>
	<IsPrimary></IsPrimary>
	<IsEnabled>true</IsEnabled>
	<IsFederationHub></IsFederationHub>
	<HomeRealmId></HomeRealmId>
	<ProvisioningRole></ProvisioningRole>
	<FederatedAuthenticatorConfigs>
		<saml2>
			<Name>SAMLSSOAuthenticator</Name>
			<DisplayName>samlsso</DisplayName>
			<IsEnabled>true</IsEnabled>
			<Properties>
				<property>
					<Name>IdpEntityId<<Name>IdPEntityId</Name>
					<Value>identiryProviderIDP</Value>
				</property>
				<property>
					<Name>IsLogoutEnabled</Name>
					<Value>true</Value>
				</property>
				<property>
					<Name>SPEntityId</Name>
					<Value>travelocitySP</Value>
				</property>
				<property>
					<Name>SSOUrl</Name>
					<Value>https://localhost:9444/samlsso/</Value>
				</property>
				<property>
					<Name>isAssertionSigned</Name>
					<Value>false</Value>
				</property>
				<property>
					<Name>commonAuthQueryParams</Name>
					<Value></Value>
				</property>
				<property>
					<Name>IsUserIdInClaims</Name>
					<Value>false</Value>
				</property>
				<property>
					<Name>IsLogoutReqSigned</Name>
					<Value>false</Value>
				</property>
				<property>
					<Name>IsAssertionEncrypted</Name>
					<Value>false</Value>
				</property>
				<property>
					<Name>IsAuthReqSigned</Name>
					<Value>false</Value>
				</property>
				<property>
					<Name>IsAuthnRespSigned</Name>
					<Value>false</Value>
				</property>
				<property>
					<Name>LogoutReqUrl</Name>
					<Value>false</Value>
				</property>
			</Properties>
		</saml2>
	</FederatedAuthenticatorConfigs>
	<DefaultAuthenticatorConfig>SAMLSSOAuthenticator</DefaultAuthenticatorConfig>
	<ProvisioningConnectorConfigs>
	</ProvisioningConnectorConfigs>
	<DefaultProvisioningConnectorConfig></DefaultProvisioningConnectorConfig>
	<ClaimConfig></ClaimConfig>
	<Certificate></Certificate>
	<PermissionAndRoleConfig></PermissionAndRoleConfig>
	<JustInTimeProvisioningConfig></JustInTimeProvisioningConfig>
</IdentityProvider>
Tip

Tip: When studying the above configurations, you can identify the Service Provider Entity Id in the following code snippet.

Code Block
languagexml
<property>
	<Name>SPEntityId</Name>
	<Value>travelocitySP</Value>
</property>

Here, travelocitySP must be the same value as the value configured as the Issuer in the identity provider IS.

About certificates: The following is a sample command if the identity provider is WSO2 Identity Server where you can export the public certificate in PEM format.


Code Block
keytool -exportcert -alias wso2carbon -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon -rfc -file ispublic_crt.pem

Then, you can open the certificate file with a notepad so you see the certificate value. Copy this certificate value and put in the file within the <Certificate> tag.

Please note that above is only if the identity provider is the WSO2 Identity Server. If the identity provider is a third party IDP, then you can get the certificate in PEM format and read the value. You need to copy the entire content of the PEM file and place it between within the <Certificate> tags tag.

Adding the service provider in the service provider IS

...

  1. Open the <SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/sso-idp-config.xml file and add the following configuration under the <ServiceProviders> tag of the <SSOIdentityProviderConfig> property. This adds the travelocity application as a service provider.

    Code Block
    languagexml
    <ServiceProvider>
        <Issuer>travelocity.com</Issuer>
        <AssertionConsumerServiceURLs>
          <AssertionConsumerServiceURL>http://wso2is.local:8080/travelocity.com/home.jsp</AssertionConsumerServiceURL>
        </AssertionConsumerServiceURLs>
        <DefaultAssertionConsumerServiceURL>http://wso2is.local:8080/travelocity.com/home.jsp</DefaultAssertionConsumerServiceURL>
        <EnableSingleLogout>true</EnableSingleLogout>
        <SLOResponseURL></SLOResponseURL>
        <SLORequestURL></SLORequestURL>
        <SAMLDefaultSigningAlgorithmURI>http://www.w3.org/2000/09/xmldsig#rsa-sha1</SAMLDefaultSigningAlgorithmURI>
        <SAMLDefaultDigestAlgorithmURI>http://www.w3.org/2000/09/xmldsig#sha1</SAMLDefaultDigestAlgorithmURI>
        <SignResponse>true</SignResponse>
        <ValidateSignatures>true</ValidateSignatures>
        <EncryptAssertion>true</EncryptAssertion>
        <CertAlias></CertAlias>
        <EnableAttributeProfile>true</EnableAttributeProfile>
        <IncludeAttributeByDefault>true</IncludeAttributeByDefault>
        <ConsumingServiceIndex>2104589</ConsumingServiceIndex>
        <EnableAudienceRestriction>false</EnableAudienceRestriction>
        <AudiencesList>
          <Audience></Audience>
        </AudiencesList>
        <EnableRecipients>false</EnableRecipients>
        <RecipientList>
          <Recipient></Recipient>
        </RecipientList>
        <EnableIdPInitiatedSSO>false</EnableIdPInitiatedSSO>
        <EnableIdPInitSLO>false</EnableIdPInitSLO>
        <ReturnToURLList>
          <ReturnToURL></ReturnToURL>
        </ReturnToURLList>
    </ServiceProvider>
    Note
    Warning
    To configure SAML Back-Channel Logout and SAML Front-Channel Logout described below, apply the 3904 WUM update to WSO2 IS 5.3.0 using the WSO2 Update Manager (WUM). To deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM in the WSO2 Administration Guide.

    In the above configuration, the single logout is supported by Back-Channel Logout. In order to use SAML Front-Channel Logout, add the following properties under <ServiceProvider> tag.

    To enable SAML Front-Channel Logout with HTTP Redirect Binding

    Code Block
    <EnableSingleLogout>true</EnableSingleLogout>
    <EnableFrontChannelLogout>true</EnableFrontChannelLogout>
    <FrontChannelLogoutBinding>HTTPRedirectBinding</FrontChannelLogoutBinding>

    To enable SAML Front-Channel Logout with HTTP POST Binding

    Code Block
    <EnableSingleLogout>true</EnableSingleLogout>
    <EnableFrontChannelLogout>true</EnableFrontChannelLogout>
    <FrontChannelLogoutBinding>HTTPPostBinding</FrontChannelLogoutBinding>
  2. Create a file named travelocity.com.xml in the <SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/service-providers directory.
  3. Add the following configurations into the travelocity.com.xml file you created. This adds the necessary SAML configurations to the travelocity service provider.

    Note

    If you added the "SHARED_" prefix to the identity provider name when adding the identity provider, replace the  <IdentityProviderName>  value (found under the  <LocalAndOutBoundAuthenticationConfig>  element) in the  travelocity.com.xml  file, with the following value.

    Code Block
    SHARED_identityProviderIDP_IS
    Code Block
    languagexml
    <ServiceProvider>
        <ApplicationID>3</ApplicationID>
        <ApplicationName>travelocity.com</ApplicationName>
        <Description>travelocity Service Provider</Description>
        <IsSaaSApp>true</IsSaaSApp>
        <InboundAuthenticationConfig>
            <InboundAuthenticationRequestConfigs>
                <InboundAuthenticationRequestConfig>
                    <InboundAuthKey>travelocity.com</InboundAuthKey>
                    <InboundAuthType>samlsso</InboundAuthType>
                    <Properties></Properties>
                </InboundAuthenticationRequestConfig>
            </InboundAuthenticationRequestConfigs>
        </InboundAuthenticationConfig>
      
        <LocalAndOutBoundAuthenticationConfig>
        <AuthenticationSteps>
            <AuthenticationStep>
                <StepOrder>1</StepOrder>
                <LocalAuthenticatorConfigs>
                    <LocalAuthenticatorConfig>
                        <Name>BasicAuthenticator</Name>
                        <DisplayName>basicauth</DisplayName>
                        <IsEnabled>true</IsEnabled>
                    </LocalAuthenticatorConfig>
                </LocalAuthenticatorConfigs>
                <FederatedIdentityProviders>
                    <IdentityProvider>
                        <IdentityProviderName>identityProviderIDP_IS</IdentityProviderName>
                        <IsEnabled>true</IsEnabled>
                        <DefaultAuthenticatorConfig>
                            <FederatedAuthenticatorConfigs>
                                <FederatedAuthenticatorConfig>
                                    <Name>SAMLSSOAuthenticator</Name>
                                    <DisplayName>samlsso</DisplayName>
                                    <IsEnabled>true</IsEnabled>
                                </FederatedAuthenticatorConfig>
                            </FederatedAuthenticatorConfigs>
                        </DefaultAuthenticatorConfig>
                    </IdentityProvider>
                </FederatedIdentityProviders>
                <SubjectStep>true</SubjectStep>
                <AttributeStep>true</AttributeStep>
            </AuthenticationStep>
        </AuthenticationSteps>
    </LocalAndOutBoundAuthenticationConfig>
        <RequestPathAuthenticatorConfigs></RequestPathAuthenticatorConfigs>
        <InboundProvisioningConfig></InboundProvisioningConfig>
        <OutboundProvisioningConfig></OutboundProvisioningConfig>
        <ClaimConfig>
            <AlwaysSendMappedLocalSubjectId>true</AlwaysSendMappedLocalSubjectId>
            <LocalClaimDialect>true</LocalClaimDialect><ClaimMappings><ClaimMapping><LocalClaim><ClaimUri>http://wso2.org/claims/givenname</ClaimUri></LocalClaim><RemoteClaim><ClaimUri>http://wso2.org/claims/givenName</ClaimUri>ClaimUri></RemoteClaim><RequestClaim>true</RequestClaim></ClaimMapping></ClaimMappings></ClaimConfig>    
        <PermissionAndRoleConfig></PermissionAndRoleConfig>
    </ServiceProvider>
  4. Restart the WSO2 Identity Server to apply the file-based configurations to the system. 

    Note

    Please note that the management console will not show the SP related configuration information if it is loaded through a file (as shown above)

...