...
- Start the
identity provider IS
and access the Management Console. - Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.
- Fill in the Service Provider Name and provide a brief Description of the service provider. For the purposes of this scenario, enter the Service Provider Name as
ServiceProviderSP_IS
. - Click Register to add the service provider.
- Expand the Inbound Authentication and SAML2 Web SSO Configuration sections and click Configure.
Do the following configurations.
Configurations to be done Description Issuer:
travelocitySP
This must be the same as the value you enter for the Service Provider Entity Id when configuring the identity provider in the
service provider IS
.Assertion Consumer URL: https://localhost:9443/commonauth This is the URL to which the browser should be redirected to after the authentication is successful. This is the Assertion Consumer Service (ACS) URL of the service provider. The identity provider redirects the SAML2 response to this URL. However, if the SAML2 request is signed and SAML2 request contains the ACS URL, the Identity Server will honor the ACS URL of the SAML2 request. It should be defined in this format: https://(host-name):(port)/acs. Use fully qualified username in the NameID A fully qualified username is basically the username with the user store domain. In short, the username must be in the following format: {user store domain}{user name}
.Enable Single Logout When single logout is enabled, the identity provider sends logout requests to all service providers. Basically, the identity provider acts according to the single logout profile. - Click Register to save your changes.
...
Code Block | ||||
---|---|---|---|---|
| ||||
<IdentityProvider> <IdentityProviderName>identityProviderIDP_IS</IdentityProviderName> <DisplayName>identityProviderIDP_IS</DisplayName> <IdentityProviderDescription></IdentityProviderDescription> <Alias>https://localhost:9444/oauth2/token/</Alias> <IsPrimary></IsPrimary> <IsEnabled>true</IsEnabled> <IsFederationHub></IsFederationHub> <HomeRealmId></HomeRealmId> <ProvisioningRole></ProvisioningRole> <FederatedAuthenticatorConfigs> <saml2> <Name>SAMLSSOAuthenticator</Name> <DisplayName>samlsso</DisplayName> <IsEnabled>true</IsEnabled> <Properties> <property> <Name>IdpEntityId<<Name>IdPEntityId</Name> <Value>identiryProviderIDP</Value> </property> <property> <Name>IsLogoutEnabled</Name> <Value>true</Value> </property> <property> <Name>SPEntityId</Name> <Value>travelocitySP</Value> </property> <property> <Name>SSOUrl</Name> <Value>https://localhost:9444/samlsso/</Value> </property> <property> <Name>isAssertionSigned</Name> <Value>false</Value> </property> <property> <Name>commonAuthQueryParams</Name> <Value></Value> </property> <property> <Name>IsUserIdInClaims</Name> <Value>false</Value> </property> <property> <Name>IsLogoutReqSigned</Name> <Value>false</Value> </property> <property> <Name>IsAssertionEncrypted</Name> <Value>false</Value> </property> <property> <Name>IsAuthReqSigned</Name> <Value>false</Value> </property> <property> <Name>IsAuthnRespSigned</Name> <Value>false</Value> </property> <property> <Name>LogoutReqUrl</Name> <Value>false</Value> </property> </Properties> </saml2> </FederatedAuthenticatorConfigs> <DefaultAuthenticatorConfig>SAMLSSOAuthenticator</DefaultAuthenticatorConfig> <ProvisioningConnectorConfigs> </ProvisioningConnectorConfigs> <DefaultProvisioningConnectorConfig></DefaultProvisioningConnectorConfig> <ClaimConfig></ClaimConfig> <Certificate></Certificate> <PermissionAndRoleConfig></PermissionAndRoleConfig> <JustInTimeProvisioningConfig></JustInTimeProvisioningConfig> </IdentityProvider> |
Tip | |||||
---|---|---|---|---|---|
Tip: When studying the above configurations, you can identify the Service Provider Entity Id in the following code snippet.
Here, About certificates: The following is a sample command if the identity provider is WSO2 Identity Server where you can export the public certificate in PEM format. keytool -exportcert -alias wso2carbon -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon -rfc -file ispublic_crt.pem
Then, you can open the certificate file with a notepad so you see the certificate value. Copy this certificate value and put in the file within the <Certificate> tag. Please note that above is only if the identity provider is the WSO2 Identity Server. If the identity provider is a third party IDP, then you can get the certificate in PEM format and read the value. You need to copy the entire content of the PEM file and place it between the <Certificate> tags. |
Adding the service provider in the service provider IS
...
Open the
<SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/sso-idp-config.xml
file and add the following configuration to it. This adds the travelocity application as a service provider.Code Block language xml <ServiceProvider> <Issuer>travelocity.com</Issuer> <AssertionConsumerServiceURLs> <AssertionConsumerServiceURL>http://localhost:8080/travelocity.com/home.jsp</AssertionConsumerServiceURL> </AssertionConsumerServiceURLs> <DefaultAssertionConsumerServiceURL>http://localhost:8080/travelocity.com/home.jsp</DefaultAssertionConsumerServiceURL> <EnableSingleLogout>true</EnableSingleLogout> <SLOResponseURL></SLOResponseURL> <SLORequestURL></SLORequestURL> <SAMLDefaultSigningAlgorithmURI>http://www.w3.org/2000/09/xmldsig#rsa-sha1</SAMLDefaultSigningAlgorithmURI> <SAMLDefaultDigestAlgorithmURI>http://www.w3.org/2000/09/xmldsig#sha1</SAMLDefaultDigestAlgorithmURI> <SignResponse>true</SignResponse> <ValidateSignatures>true</ValidateSignatures> <EncryptAssertion>true</EncryptAssertion> <CertAlias></CertAlias> <EnableAttributeProfile>true</EnableAttributeProfile> <IncludeAttributeByDefault>true</IncludeAttributeByDefault> <ConsumingServiceIndex>2104589</ConsumingServiceIndex> <EnableAudienceRestriction>false</EnableAudienceRestriction> <AudiencesList> <Audience></Audience> </AudiencesList> <EnableRecipients>false</EnableRecipients> <RecipientList> <Recipient></Recipient> </RecipientList> <EnableIdPInitiatedSSO>false</EnableIdPInitiatedSSO> <EnableIdPInitSLO>false</EnableIdPInitSLO> <ReturnToURLList> <ReturnToURL></ReturnToURL> </ReturnToURLList> </ServiceProvider>
- Create a file named
travelocity.com.xml
in the<SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/service-providers
directory. Add the following configurations into the
travelocity.com.xml
file you created. This adds the necessary SAML configurations to the travelocity service provider.Note If you added the "SHARED_" prefix to the identity provider name when adding the identity provider, replace the
<IdentityProviderName>
value (found under the<LocalAndOutBoundAuthenticationConfig>
element) in thetravelocity.com.xml
file, with the following value.Code Block SHARED_identityProviderIDP_IS
Code Block language xml <ServiceProvider> <ApplicationID>3</ApplicationID> <ApplicationName>travelocity.com</ApplicationName> <Description>travelocity Service Provider</Description> <IsSaaSApp>true</IsSaaSApp> <InboundAuthenticationConfig> <InboundAuthenticationRequestConfigs> <InboundAuthenticationRequestConfig> <InboundAuthKey>travelocity.com</InboundAuthKey> <InboundAuthType>samlsso</InboundAuthType> <Properties></Properties> </InboundAuthenticationRequestConfig> </InboundAuthenticationRequestConfigs> </InboundAuthenticationConfig> <LocalAndOutBoundAuthenticationConfig> <AuthenticationSteps> <AuthenticationStep> <StepOrder>1</StepOrder> <LocalAuthenticatorConfigs> <LocalAuthenticatorConfigs> <LocalAuthenticatorConfig> <Name>BasicAuthenticator</Name> <DisplayName>basicauth</DisplayName> <IsEnabled>true</IsEnabled> </LocalAuthenticatorConfig> </LocalAuthenticatorConfigs> </LocalAuthenticatorConfigs>> <FederatedIdentityProviders> <FederatedIdentityProviders> <IdentityProvider> <IdentityProvider> <IdentityProviderName>identityProviderIDP_IS</IdentityProviderName> <IdentityProviderName>identityProviderIDP_IS</IdentityProviderName> <IsEnabled>true</IsEnabled> <IsEnabled>true</IsEnabled><DefaultAuthenticatorConfig> <DefaultAuthenticatorConfig><FederatedAuthenticatorConfigs> <FederatedAuthenticatorConfig> <Name>SAMLSSOAuthenticator</Name> <DisplayName>samlsso</DisplayName> <IsEnabled>true</IsEnabled> </FederatedAuthenticatorConfig> </DefaultAuthenticatorConfig>FederatedAuthenticatorConfigs> </IdentityProvider>DefaultAuthenticatorConfig> </FederatedIdentityProviders>IdentityProvider> </FederatedIdentityProviders> <SubjectStep>true</SubjectStep> <SubjectStep>true</SubjectStep> <AttributeStep>true</AttributeStep> <AttributeStep>true</AttributeStep> </AuthenticationStep> </AuthenticationSteps> </LocalAndOutBoundAuthenticationConfig> <RequestPathAuthenticatorConfigs></RequestPathAuthenticatorConfigs> <InboundProvisioningConfig></InboundProvisioningConfig> <OutboundProvisioningConfig></OutboundProvisioningConfig> <ClaimConfig> <AlwaysSendMappedLocalSubjectId>true</AlwaysSendMappedLocalSubjectId> <LocalClaimDialect>true</LocalClaimDialect><ClaimMappings><ClaimMapping><LocalClaim><ClaimUri>http://wso2.org/claims/givenname</ClaimUri></LocalClaim><RemoteClaim><ClaimUri>http://wso2.org/claims/givenName</ClaimUri>ClaimUri></RemoteClaim><RequestClaim>true</RequestClaim></ClaimMapping></ClaimMappings></ClaimConfig> <PermissionAndRoleConfig></PermissionAndRoleConfig> </ServiceProvider>
...
Create new tenants in the
service provider IS
.Note Note: You cannot provide access to the service provider and identity provider for a specific tenant domain. This is accessible to all the tenants configured.
Open the
<TOMCAT_HOME>/webapps/travelocity.com/WEBINF/classes/travelocity.properties
file.Expand title Click here to see the full contents of the travelocity.properties file. Code Block EnableSAMLSSOLogin=true EnableOpenIDLogin=true EnableSAML2Grant=false #This is the URL of the page that is used to choose the login scheme #such as SAML SSO or OpenID. This Url will not be processed by the #SSOAgentFilter LoginUrl=index.jsp #Url to do send SAMLSSO AuthnRequest SAMLSSOUrl=samlsso #Url to do send SAML2 Grant OAuth2 Request SAML2GrantUrl=token #Url to send OpenID Authentication Request OpenIDUrl=openid #A unique identifier for this SAML 2.0 Service Provider application SAML.IssuerID=travelocity.com #SAML.Request.Query.Param=&tenantDomain=tenant.domain#The URL of the SAML 2.0 Assertion Consumer SAML.ConsumerUrl=http://localhost:8080/travelocity.com/home.jsp #The URL of the SAML 2.0 Identity Provider SAML.IdPUrl=https://localhost:9443/samlsso #This is the attribute name under which the authenticated session information #of SAML SSO and OpenID are stored SSOAgentSessionBeanName=SSOAgentSessionBean #Identifier given for the Service Provider for SAML 2.0 attributes #exchange #SAML.AttributeConsumingServiceIndex=1701087467 #Specify if SingleLogout is enabled/disabled SAML.EnableSLO=true #This is the URL that is used for SLO SAML.LogoutUrl=logout #Specify if SAMLResponse element is signed SAML.EnableResponseSigning=false #Specify if SAMLAssertion element is signed SAML.EnableAssertionSigning=false #Specify if SAMLAssertion element is encrypted SAML.EnableAssertionEncryption=false #Specify if AuthnRequests and LogoutRequests should be signed SAML.EnableRequestSigning=false #Specify if force authentication enabled SAML.EnableForceAuthentication=false #Custom credentials class SAML.SSOAgentCredentialImplClass=org.wso2.carbon.identity.sso.agent.saml.SSOAgentKeyStoreCredential #KeyStore to cryptographic credentials #KeyStore=/home/johann/Desktop/wso2is4.1.0/repository/resources/security/wso2carbon.jks #Password of the KeyStore for SAML and OpenID KeyStorePassword=wso2carbon #Alias of the IdP's public certificate SAML.IdPCertAlias=wso2carbon#Alias of the SP's private key SAML.PrivateKeyAlias=wso2carbon #Private key password to retrieve the private key used to sign #AuthnRequest and LogoutRequest messages SAML.PrivateKeyPassword=wso2carbon #OAuth2 token endpoint URL SAML.OAuth2TokenEndpoint=https://localhost:9443/oauth2/token #OAuth2 Client ID SAML.OAuth2ClientID=Qn5DQHCYfshxeZh6R9SL1HM2lsMa #OAuth2 Client Secret SAML.OAuth2ClientSecret=cbkAs1gajdwPAMbrSR54hPAIcz0a #OpenId Provider Url OpenID.OpenIdProviderUrl=https://localhost:9443/openid/ #openid.return_to parameter OpenID.ReturnToUrl=http://localhost:8080/travelocity.com/home.jsp #This is the request parameter name under which to find the #openid.claimed_id value to send OpenID authentication request OpenID.ClaimedIDParameterName=claimed_id #Custom OpenID AttributesRequestor class OpenID.AttributesRequestorImplClass=SampleAttributesRequestor #Additional request parameters #SAML.Request.Query.Param=&forceAuth=true
In the travelocity.properties file, locate and uncomment the following value. Replace the tenant domain (
tenant.domain
) with your newly created tenant domain.Code Block #SAML.Request.Query.Param=&tenantDomain=tenant.domain
Tip Tip: You can uncomment values in this file by removing the “#”.
If you made any changes to the port offset, you must ensure that this change is reflected in the port value of the following property.
Code Block SAML.IdPUrl=https://localhost:9443/samlsso
Restart Apache Tomcat and access the travelocity application. You will be able to log in using the identity provider credentials regardless of the tenant domain you are using. Access the travelocity application using the following: http://localhost:8080/travelocity.com/index.jsp
Panel | ||
---|---|---|
| ||
The following links provide additional information that may be relevant when attempting the instructions in this topic.
|