Versions Compared

Old Version 41

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Single sign-on (SSO) allows users, who are authenticated against one application, gain access to multiple other related applications as well without having to repeatedly authenticate themselves. It also allows the Web applications gain access to a set of back-end services with the logged-in user's access rights, and the back-end services can authorize the user based on different claims like user role.

...

Configuring WSO2 Identity Server as a SAML 2.0 SSO Identity Provider

  1. Start the IS server and log in to its Management Console UI ( https://localhost:9443/carbon).   

    Tip

    If you use login pages that are hosted externally to log in to the Identity Server, give the absolute URLs of those login pages in the authenticators.xml and application-authenticators.xml files in the   <IS_HOME>/repository/conf/security  directory.

  2. Select Add under Service Providers menu.
    Image Modified

  3. Give a service provider name and click Register.

    Tip

    Tip: If you are working in a multi tenanted environment and you want all tenants to be able to log in to the APIM Web applications, you must click the SaaS Application option that appears after registering the service provider.

    If not, only users in the current tenant domain (the one you are defining the service provider in) will be allowed to log in to the Web application and you have to register new service providers for all Web applications (API Store and API Publisher in this case) from each tenant space separately. For example, let's say you have three tenants as TA, TB and TC and you register the service provider in TA only. If you tick the SaaS Application option, all users in TA, TB, TC tenant domains will be able to log in. Else, only users in TA will be able to log in.

  4. You are navigated to the detailed configuration page. Expand SAML2 Web SSO Configuration inside the Inbound Authentication Configuration section.

  5. Expand SAML2 Web SSO Configuration inside the Inbound Authentication Configuration section.

  6. Pro vide the following configurations to register the API Manager Web applications as SSO service providers.

    Note

    In the following configurations, use the exact values that were used to configure the API Manager Web applications.

    To register API Publisher as an SSO service provider:

      • Issuer : API_PUBLISHER
      • Assertion Consumer URL: https://localhost:9443/publisher/jagg/jaggery_acs.jag. Change the IP and port accordingly. This is the URL for the acs page in your running publisher app.

      • Select the following options:

        • Use fully qualified username in the NameID  

        • Enable Response Signing

        • Enable Assertion Signing

        • Enable Single Logout

      • Click Register once done.

    To register API Store as an SSO service provider:

      • Issuer : API_STORE
      • Assertion Consumer URL: https://localhost:9443/store/jagg/jaggery_acs.jag. Change the IP and port accordingly. This is the URL for the acs page in your running store app.
      • Select the following options:
        • Use fully qualified username in the NameID  
        • Enable Response Signing  
        • Enable Assertion Signing  
        • Enable Single Logout    
      • Click Register once done.

For example:

Configuring WSO2 API Manager Apps as SAML 2.0 SSO Service Providers

  1. Open <AM_Home>/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json and modify the following configurations found under ssoConfiguration.
    • keyStoreName: The keystore of the running IDP. As you use a remote instance of WSO2 IS here, you can import the public certificate of the IS keystore to the APIM and then point to the APIM keystore. The default keystore of the APIM is <APIM_HOME>/repository/resources/security/wso2carbon.jks Be sure to give the full path of the keystore here.
    • keyStorePassword: Password for the above keystore.
    • identityAlias: wso2carbon.
    • enabled: Set this value to true to enable SSO in the application.
    • issuer: API_PUBLISHER. This value can change depending on the Issuer value defined in WSO2 IS SSO configuration above.
    • identityProviderURL: https://localhost:9444/samlsso. Change the IP and port accordingly. This is the redirecting SSO URL in your running WSO2 IS server instance.
  2. Similarly, configure the API Store with SSO. The only difference in API Store SSO configurations is setting API_STORE as the issuer.
  3. Access the API Publisher : https://localhost:<Port number>/publisher (e.g., https://localhost:9443/publisher). Observe the request redirect to the WSO2 IS SAML2.0 based SSO login page. For example,Image Removed
    Image Added
  4. Enter user credentials. If the user authentication is successful against WSO2 IS, it will redirect to the API Publisher Web application with the user already authenticated.
  5. Access the API Store application, click its Login link (top, right-hand corner) and verify that the same user is already authenticated in API Store.

...

Info

If there are many WSO2 products in your environment, you can configure SSO for the management consoles of all products by changing the SAML2SSOAuthenticator configuration in <PRODUCT_HOME>/repository/conf/security/authenticators.xml file as follows:

  • Set disabled attributes in <Authenticator> element to false
  • ServiceProviderID : In this example, it is the issuer name of the service provider created in step 1

  • IdentityProviderSSOServiceURL : In this example, it is the Identity Server port

    Code Block
    languagexml
    <Authenticator name="SAML2SSOAuthenticator" disabled="false">
        <Priority>10</Priority>
        <Config>
            <Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter>
            <Parameter name="ServiceProviderID">carbonserver1</Parameter>
            			<Parameter name="IdentityProviderSSOServiceURL">https://localhost:9444/samlsso&lt;samlsso</Parameter>
            <Parameter name="NameIDPolicyFormat">urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</Parameter>
</Config>

    Make sure the <priority> of the SAML2SSOAuthenticator is less than that of the BasicAuthenticator handler. See here for more information.