...
Create a MySQL database (e.g., registry) and run the
<IS_HOME>/dbscripts/mysql.sql
script on it to create the required tables.
If you are using a different database type, find the relevant script from the<IS_HOME>/dbscripts
directory.Note There are two MySQL DB scripts available in the product distribution f rom WSO2 Carbon Kernel 4.4.6 onwards . Click here to identify as to which version of the MySQL script to use.
Add the following datasource configuration to both the
<IS_HOME>/repository/conf/datasources/master-datasources.xml
and<API-M_HOME>/repository/conf/datasources/master-datasources.xml
files.Code Block language xml <datasource> <name>WSO2REG_DB</name> <description>The datasource used for registry</description> <jndiConfig> <name>jdbc/WSO2REG_DB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://localhost:3306/registry?autoReconnect=true&relaxAutoCommit=true&</url> <username>apiuser</username> <password>apimanager</password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>50</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> </configuration> </definition> </datasource>
Note Modify the username and password parameters of above configuration with your mysql database credentials.
Info Refer Configuring master-datasources.xml for descriptive information about each property of the datasource configuration.
Create the registry mounts by inserting the following sections into the
<IS_HOME>/repository/conf/registry.xml
file.Tip When doing this change, do not replace the existing
<dbConfig>
for "wso2registry
". Simply add the following configuration to the existing configurations.Code Block language xml <dbConfig name="govregistry"> <dataSource>jdbc/WSO2REG_DB</dataSource> </dbConfig> <remoteInstance url="https://localhost"> <id>gov</id> <dbConfig>govregistry</dbConfig> <readOnly>false</readOnly> <enableCache>true</enableCache> <registryRoot>/</registryRoot> </remoteInstance> <mount path="/_system/governance" overwrite="true"> <instanceId>gov</instanceId> <targetPath>/_system/governance</targetPath> </mount> <mount path="/_system/config" overwrite="true"> <instanceId>gov</instanceId> <targetPath>/_system/config</targetPath> </mount>
Info Refer Configuring registry.xml for more details on configuration details and usage of registry.xml
Repeat the above step in the
<API-M_HOME>/repository/conf/registry.xml
file as well.
...
Start WSO2 Identity Server.
Code Block ./wso2server.sh -DportOffset=1
Tip You also can change Port offset value by changing <Offset> 1 </Offset> under <Ports> in
<IS_HOME>/repository/conf/carbon.xml file.
Info title What is port offset? The port offset feature allows you to run multiple WSO2 products, multiple instances of a WSO2 product, or multiple WSO2 product clusters on the same server or virtual machine (VM). The port offset defines the number by which all ports defined in the runtime, such as the HTTP/S ports, will be offset. For example, if the HTTPS port is defined as 9443 and the portOffset is 1, the effective HTTPS port will be 9444.
Sign in to the WSO2 IS Management Console UI (
https://localhost:9444/carbon)
.Tip If you use signin pages that are hosted externally to sign in to the Identity Server, give the absolute URLs of those login pages in the
authenticators.xml
andapplication-authenticators.xml
files in the<IS_HOME>/repository/conf/identity
directory.- Select Add under the Service Providers menu.
Give a service provider name and click Register.
Tip In a multi tenanted environment, for all tenants to be able to log in to the APIM Web applications, do the following:
Click the SaaS Application option that appears after registering the service provider.
If not, only users in the current tenant domain (the one you are defining the service provider in) will be allowed to log in to the Web application and you have to register new service providers for all Web applications (API Store and API Publisher in this case) from each tenant space separately. For example, let's say you have three tenants as TA, TB and TC and you register the service provider in TA only. If you tick the SaaS Application option, all users in TA, TB, TC tenant domains will be able to log in. Else, only users in TA will be able to log in.
Add the following inside the
<SSOService>
element in the<IS_HOME>/repository/conf/identity/identity.xml
file and restart the server.Code Block <SSOService> <UseAuthenticatedUserDomainCrypto>true</UseAuthenticatedUserDomainCrypto> ... </SSOService>
If not, you get an exception as SAML response signature verification fails.
- Because the servers in a multi-tenanted environment interact with all tenants, all nodes should share the same user store. Therefore, make sure you have a shared registry (JDBC mount, WSO2 Governance Registry etc.) instance across all nodes.
You are navigated to the detailed configuration page. Inside the Inbound Authentication Configuratio n section, expand SAML2 Web SSO Configuration and click Configure.
Note To enable tenant specific SSO with IS 5.3.0 for
API_PUBLISHER
andAPI_STORE
, enable Use tenant domain in local subject identifier under the Local & Outbound Authentication Configuration section.Provide the configurations to register the API Publisher as the SSO service provider. These sample values may change depending in your configuration.
- Issuer: API_PUBLISHER
- Assertion Consumer URL:
https://localhost:9443/publisher/jagg/jaggery_acs.jag
. Change the IP and port accordingly. This is the URL for the Assertion Consumer Services (ACS) page in your running publisher app. Select the following options:
Enable Response Signing
Enable Single Logout
- Click Register once done.
For example:
Similarly, provide the configurations to register the API Store as the SSO service provider. These sample values may change depending in your configuration.
- Issuer: API_STORE
- Assertion Consumer URL:
https://localhost:9443/store/jagg/jaggery_acs.jag
. Change the IP and port accordingly. This is the URL for the acs page in your running Store app. - Select the following options:
- Enable Response Signing
- Enable Single Logout
- Click Register once done.
- Make sure that the
responseSigningEnabled
element is set totrue
in both the following files:<API-M_HOME>/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json
<API-M_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json
...
- Open
<API-M_Home>/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json
and modify the following configurations found under ssoConfiguration.- enabled: Set this value to true to enable SSO in the application
- issuer:
API_PUBLISHER
. This value can change depending on the Issuer value defined in WSO2 IS SSO configuration above. - identityProviderURL: https://localhost:9444/samlsso. Change the IP and port accordingly. This is the redirecting SSO URL in your running WSO2 IS server instance.
- keyStoreName: The keystore of the running IDP. As you use a remote instance of WSO2 IS here, you can import the public certificate of the IS keystore to the APIM and then point to the APIM keystore. The default keystore of the APIM is
<API-M_HOME>/repository/resources/security/wso2carbon.jks
. Be sure to give the full path of the keystore here. - keyStorePassword: Password for the above keystore. The default keyStorePassword is
wso2carbon
. - identityAlias: wso2carbon
Similarly, configure the API Store with SSO. The only difference in API Store SSO configurations is setting API_STORE as the issuer.
- Reduce the priority of the
SAML2SSOAuthenticator
configuration in the<API-M_HOME>/repository/conf/security/authenticators.xml
file.
You do this as a workaround for a known issue that will be fixed in a future release. TheSAML2SSOAuthenticator
handler does not process only SAML authentication requests at the moment. If you set its priority higher than that of theBasicAuthenticator
handler, theSAML2SSOAuthenticator
tries to process the basic authentication requests as well. This causes login issues in the API Publisher/Store.Code Block <Authenticator name="SAML2SSOAuthenticator" disabled="false"> <Priority>0</Priority> .... </Authenticator>
Note You can skip this step if you are using Identity Server 5.3.0 as the IDP.
- Access the API Publisher:
https://localhost:<port_number>/publisher
(e.g.,https://localhost:9443/publisher
). Observe the request redirect to the WSO2 IS SAML2.0 based SSO login page. For example,
- Enter user credentials. If the user authentication is successful against WSO2 IS, it will redirect to the API Publisher Web application with the user already authenticated.
- Access the API Store application, click its Login link (top, right-hand corner) and verify that the same user is already authenticated in API Store.
...