Versions Compared

Old Version 9

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Gomathy Kumarakuruparan (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This topic provides instructions on how to create a service provider and identity provider in the WSO2 Identity Server using configuration files which is typically used during the deployment stage. This is done so that multiple tenants in the Identity Server can have the same identity provider.

...

Info
titleBefore you begin

Do the following steps to setup set up the two WSO2 Identity Server instances for the scenario.

  1. Download and install the two Identity Server instances.

  2. In the <IDENTITY_PROVIDER_IS_HOME>/repository/conf/carbon.xml file, locate the Offset element and change this to 1. This is done to increment the port values in the identity provider IS so that there is no port conflict with the service provider IS . Port conflicts occur when multiple WSO2 product instances run on the same machine.

    Code Block
    languagexml
    <Offset>1</Offset>

Now you have setup set up the Identity Server instances so you can proceed with the configuration steps.

...

  1. Start the  identity provider IS  and access the Management Console.
  2. Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.
  3. Fill in the Service Provider Name and provide a brief Description of the service provider. For the purposes of this scenario, enter the Service Provider Name as ServiceProviderSP_IS.
  4. Click Register to add the service provider.
  5. Expand the Inbound Authentication and SAML2 Web SSO Configuration sections and click Configure.

  6. Do the following configurations.

    Configurations to be doneDescription

    IssuertravelocitySP

    This must be the same as the value you enter for the Service Provider Entity Id when configuring the identity provider in the service provider IS .

    Assertion Consumer URL­: https://localhost:9443/commonauthThis is the URL to which the browser should be redirected to after the authentication is successful. This is the Assertion Consumer Service (ACS) URL of the service provider. The identity provider redirects the SAML2 response to this URL. However, if the SAML2 request is signed and SAML2 request contains the ACS URL, the Identity Server will honor the ACS URL of the SAML2 request. It should be defined in this format: https://(host-name):(port)/acs.
    Use fully qualified username in the NameIDA fully qualified username is basically the username with the user store domain. In short, the username must be in the following format: {user store domain}{user name}.
    Enable Single LogoutWhen single logout is enabled, the identity provider sends logout requests to all service providers. Basically, the identity provider acts according to the single logout profile.
  7. Click Register to save your changes.

...

Code Block
languagexml
titleidentityProviderIDP_IS.xml
<IdentityProvider>
	<IdentityProviderName>identityProviderIDP_IS</IdentityProviderName>
	<DisplayName>identityProviderIDP_IS</DisplayName>
	<IdentityProviderDescription></IdentityProviderDescription>
	<Alias>https://localhost:9444/oauth2/token/</Alias>
	<IsPrimary></IsPrimary>
	<IsEnabled>true</IsEnabled>
	<IsFederationHub></IsFederationHub>
	<HomeRealmId></HomeRealmId>
	<ProvisioningRole></ProvisioningRole>
	<FederatedAuthenticatorConfigs>
		<saml2>
			<Name>SAMLSSOAuthenticator</Name>
			<DisplayName>samlsso</DisplayName>
			<IsEnabled>true</IsEnabled>
			<Properties>
				<property>
					<Name>IdpEntityId<<Name>IdPEntityId</Name>
					<Value>identiryProviderIDP</Value>
				</property>
				<property>
					<Name>IsLogoutEnabled</Name>
					<Value>true</Value>
				</property>
				<property>
					<Name>SPEntityId</Name>
					<Value>travelocitySP</Value>
				</property>
				<property>
					<Name>SSOUrl</Name>
					<Value>https://localhost:9444/samlsso/</Value>
				</property>
				<property>
					<Name>isAssertionSigned</Name>
					<Value>false</Value>
				</property>
				<property>
					<Name>commonAuthQueryParams</Name>
					<Value></Value>
				</property>
				<property>
					<Name>IsUserIdInClaims</Name>
					<Value>false</Value>
				</property>
				<property>
					<Name>IsLogoutReqSigned</Name>
					<Value>false</Value>
				</property>
				<property>
					<Name>IsAssertionEncrypted</Name>
					<Value>false</Value>
				</property>
				<property>
					<Name>IsAuthReqSigned</Name>
					<Value>false</Value>
				</property>
				<property>
					<Name>IsAuthnRespSigned</Name>
					<Value>false</Value>
				</property>
				<property>
					<Name>LogoutReqUrl</Name>
					<Value>false</Value>
				</property>
			</Properties>
		</saml2>
	</FederatedAuthenticatorConfigs>
	<DefaultAuthenticatorConfig>SAMLSSOAuthenticator</DefaultAuthenticatorConfig>
	<ProvisioningConnectorConfigs>
	</ProvisioningConnectorConfigs>
	<DefaultProvisioningConnectorConfig></DefaultProvisioningConnectorConfig>
	<ClaimConfig></ClaimConfig>
	<Certificate></Certificate>
	<PermissionAndRoleConfig></PermissionAndRoleConfig>
	<JustInTimeProvisioningConfig></JustInTimeProvisioningConfig>
</IdentityProvider>
Tip

Tip: When studying the above configurations, you can identify the Service Provider Entity Id in the following code snippet.

Code Block
languagexml
<property>
	<Name>SPEntityId</Name>
	<Value>travelocitySP</Value>
</property>

Here, travelocitySP must be the same value as the value configured as the Issuer in the identity provider IS.

About certificates: The following is a sample command if the identity provider is WSO2 Identity Server where you can export the public certificate in PEM format.


Code Block
keytool -exportcert -alias wso2carbon -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon -rfc -file ispublic_crt.pem
Then, you can open the certificate file with a notepad so you see the certificate value. Copy this certificate value and put in the file within the <Certificate> tag.
Please note that above is only if the identity provider is the WSO2 Identity Server. If the identity provider is a third party IDP, then you can get the certificate in PEM format and read the value. You need to copy the entire content of the PEM file and place it between within the <Certificate> tags tag.
Adding the service provider in the service provider IS
...
  1. Open the <SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/sso-idp-config.xml file and add the following configuration to itunder the <ServiceProviders> tag of the <SSOIdentityProviderConfig> property. This adds the travelocity application as a service provider.
     Code Block
    languagexml
    <ServiceProvider>
    <Issuer>travelocity.com</Issuer>
    <AssertionConsumerServiceURLs>
      <AssertionConsumerServiceURL>http://wso2is.local:8080/travelocity.com/home.jsp</AssertionConsumerServiceURL>
    </AssertionConsumerServiceURLs>
    <DefaultAssertionConsumerServiceURL>http://wso2is.local:8080/travelocity.com/home.jsp</DefaultAssertionConsumerServiceURL>
    <EnableSingleLogout>true</EnableSingleLogout>
    <SLOResponseURL></SLOResponseURL>
    <SLORequestURL></SLORequestURL>
    <SAMLDefaultSigningAlgorithmURI>http://www.w3.org/2000/09/xmldsig#rsa-sha1</SAMLDefaultSigningAlgorithmURI>
    <SAMLDefaultDigestAlgorithmURI>http://www.w3.org/2000/09/xmldsig#sha1</SAMLDefaultDigestAlgorithmURI>
    <SignResponse>true</SignResponse>
    <ValidateSignatures>true</ValidateSignatures>
    <EncryptAssertion>true</EncryptAssertion>
    <CertAlias></CertAlias>
    <EnableAttributeProfile>true</EnableAttributeProfile>
    <IncludeAttributeByDefault>true</IncludeAttributeByDefault>
    <ConsumingServiceIndex>2104589</ConsumingServiceIndex>
    <EnableAudienceRestriction>false</EnableAudienceRestriction>
    <AudiencesList>
      <Audience></Audience>
    </AudiencesList>
    <EnableRecipients>false</EnableRecipients>
    <RecipientList>
      <Recipient></Recipient>
    </RecipientList>
    <EnableIdPInitiatedSSO>false</EnableIdPInitiatedSSO>
    <EnableIdPInitSLO>false</EnableIdPInitSLO>
    <ReturnToURLList>
      <ReturnToURL></ReturnToURL>
    </ReturnToURLList>
</ServiceProvider>
    Create a file named travelocity.
     Note
     Warning
    To configure SAML Back-Channel Logout and SAML Front-Channel Logout described below, apply the 3904 WUM update to WSO2 IS 5.3.0 using the WSO2 Update Manager (WUM). To deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM in the WSO2 Administration Guide.
    In the above configuration, the single logout is supported by Back-Channel Logout. In order to use SAML Front-Channel Logout, add the following properties under <ServiceProvider> tag.
    To enable SAML Front-Channel Logout with HTTP Redirect Binding
     Code Block
    <EnableSingleLogout>true</EnableSingleLogout>
<EnableFrontChannelLogout>true</EnableFrontChannelLogout>
<FrontChannelLogoutBinding>HTTPRedirectBinding</FrontChannelLogoutBinding>
    To enable SAML Front-Channel Logout with HTTP POST Binding
     Code Block
    <EnableSingleLogout>true</EnableSingleLogout>
<EnableFrontChannelLogout>true</EnableFrontChannelLogout>
<FrontChannelLogoutBinding>HTTPPostBinding</FrontChannelLogoutBinding>
  2. Create a file named travelocity.com.xml in the <SERVICE_PROVIDER_IS_HOME>/repository/conf/identity/service-providers directory.
  3. Add the following configurations into the travelocity.com.xml file you created. This adds the necessary SAML configurations to the travelocity service provider.
     Note
    If you added the "SHARED_" prefix to the identity provider name when adding the identity provider, replace the  <IdentityProviderName>  value (found under the  <LocalAndOutBoundAuthenticationConfig>  element) in the  travelocity.com.xml  file, with the following value.
     Code Block
    SHARED_identityProviderIDP_IS
     Code Block
    languagexml
    <ServiceProvider>
    <ApplicationID>3</ApplicationID>
    <ApplicationName>travelocity.com</ApplicationName>
    <Description>travelocity Service Provider</Description>
    <IsSaaSApp>true</IsSaaSApp>
    <InboundAuthenticationConfig>
        <InboundAuthenticationRequestConfigs>
            <InboundAuthenticationRequestConfig>
                <InboundAuthKey>travelocity.com</InboundAuthKey>
                <InboundAuthType>samlsso</InboundAuthType>
                <Properties></Properties>
            </InboundAuthenticationRequestConfig>
        </InboundAuthenticationRequestConfigs>
    </InboundAuthenticationConfig>
  
    <LocalAndOutBoundAuthenticationConfig>
    <AuthenticationSteps>
        <AuthenticationStep>
            <StepOrder>1</StepOrder>
            <LocalAuthenticatorConfigs>
                <LocalAuthenticatorConfig>
                    <Name>BasicAuthenticator</Name>
                    <DisplayName>basicauth</DisplayName>
                    <IsEnabled>true</IsEnabled>
                </LocalAuthenticatorConfig>
            </LocalAuthenticatorConfigs>>LocalAuthenticatorConfigs>
            <FederatedIdentityProviders>
                <IdentityProvider>
                    <IdentityProviderName>identityProviderIDP_IS</IdentityProviderName>
                    <IsEnabled>true</IsEnabled>
                    <DefaultAuthenticatorConfig>
                        <FederatedAuthenticatorConfigs>
                            <FederatedAuthenticatorConfig>
                                <Name>SAMLSSOAuthenticator</Name>
                                <DisplayName>samlsso</DisplayName>
                                <IsEnabled>true</IsEnabled>
                            </FederatedAuthenticatorConfig>
                        </FederatedAuthenticatorConfigs>
                    </DefaultAuthenticatorConfig>
                </IdentityProvider>
            </FederatedIdentityProviders>
            <SubjectStep>true</SubjectStep>
            <AttributeStep>true</AttributeStep>
        </AuthenticationStep>
    </AuthenticationSteps>
</LocalAndOutBoundAuthenticationConfig>
    <RequestPathAuthenticatorConfigs></RequestPathAuthenticatorConfigs>
    <InboundProvisioningConfig></InboundProvisioningConfig>
    <OutboundProvisioningConfig></OutboundProvisioningConfig>
    <ClaimConfig>
        <AlwaysSendMappedLocalSubjectId>true</AlwaysSendMappedLocalSubjectId>
        <LocalClaimDialect>true</LocalClaimDialect><ClaimMappings><ClaimMapping><LocalClaim><ClaimUri>http://wso2.org/claims/givenname</ClaimUri></LocalClaim><RemoteClaim><ClaimUri>http://wso2.org/claims/givenName</ClaimUri>ClaimUri></RemoteClaim><RequestClaim>true</RequestClaim></ClaimMapping></ClaimMappings></ClaimConfig>    
       <PermissionAndRoleConfig></PermissionAndRoleConfig>
</ServiceProvider> <PermissionAndRoleConfig></PermissionAndRoleConfig>
</ServiceProvider>
  4. Restart the WSO2 Identity Server to apply the file-based configurations to the system. 
     Note
    Please note that the management console will not show the SP related configuration information if it is loaded through a file (as shown above)
Running the travelocity application
...
  1. Create new tenants in the  service provider IS .
     Note
    Note: You cannot provide access to the service provider and identity provider for a specific tenant domain. This is accessible to all the tenants configured.
  2. Open the <TOMCAT_HOME>/webapps/travelocity.com/WEB­INF/classes/travelocity.properties file.
     Expand
    titleClick here to see the full contents of the travelocity.properties file.
     Code Block
    EnableSAMLSSOLogin=true
EnableOpenIDLogin=true
EnableSAML2Grant=false
#This is the URL of the page that is used to choose the login scheme
#such as SAML SSO or OpenID. This Url will not be processed by the
#SSOAgentFilter
LoginUrl=index.jsp

#Url to do send SAMLSSO AuthnRequest
SAMLSSOUrl=samlsso

#Url to do send SAML2 Grant OAuth2 Request
SAML2GrantUrl=token

#Url to send OpenID Authentication Request
OpenIDUrl=openid

#A unique identifier for this SAML 2.0 Service Provider application
SAML.IssuerID=travelocity.com

#QueryParams=tenantDomain=tenant.domain


#The URL of the SAML 2.0 Assertion Consumer
SAML.ConsumerUrl=http://wso2is.local/travelocity.com/home.jsp

#The URL of the SAML 2.0 Identity Provider
SAML.IdPUrl=https://localhost:9443/samlsso

#This is the attribute name under which the authenticated session information
#of SAML SSO and OpenID are stored
SSOAgentSessionBeanName=SSOAgentSessionBean

#Identifier given for the Service Provider for SAML 2.0 attributes
#exchange
#SAML.AttributeConsumingServiceIndex=1701087467

#Specify if SingleLogout is enabled/disabled
SAML.EnableSLO=true

#This is the URL that is used for SLO
SAML.LogoutUrl=logout

#Specify if SAMLResponse element is signed
SAML.EnableResponseSigning=false

#Specify if SAMLAssertion element is signed
SAML.EnableAssertionSigning=false

#Specify if SAMLAssertion element is encrypted
SAML.EnableAssertionEncryption=false

#Specify if AuthnRequests and LogoutRequests should be signed
SAML.EnableRequestSigning=false

#Specify if force authentication enabled
SAML.EnableForceAuthentication=false

#Custom credentials class
SAML.SSOAgentCredentialImplClass=org.wso2.carbon.identity.sso.agent.saml.SSOAgentKeyStoreCredential

#KeyStore to cryptographic credentials
#KeyStore=/home/johann/Desktop/wso2is­4.1.0/repository/resources/security/wso2carbon.jks

#Password of the KeyStore for SAML and OpenID
KeyStorePassword=wso2carbon

#Alias of the IdP's public certificate
SAML.IdPCertAlias=wso2carbon#Alias of the SP's private key
SAML.PrivateKeyAlias=wso2carbon

#Private key password to retrieve the private key used to sign
#AuthnRequest and LogoutRequest messages
SAML.PrivateKeyPassword=wso2carbon

#OAuth2 token endpoint URL
SAML.OAuth2TokenEndpoint=https://localhost:9443/oauth2/token

#OAuth2 Client ID
SAML.OAuth2ClientID=Qn5DQHCYfshxeZh6R9SL1HM2lsMa

#OAuth2 Client Secret
SAML.OAuth2ClientSecret=cbkAs1gajdwPAMbrSR54hPAIcz0a

#OpenId Provider Url
OpenID.OpenIdProviderUrl=https://localhost:9443/openid/

#openid.return_to parameter
OpenID.ReturnToUrl=http://wso2is.local/travelocity.com/home.jsp

#This is the request parameter name under which to find the
#openid.claimed_id value to send OpenID authentication request
OpenID.ClaimedIDParameterName=claimed_id

#Custom OpenID AttributesRequestor class
OpenID.AttributesRequestorImplClass=SampleAttributesRequestor

#Additional request parameters
#SAML.Request.Query.Param=&forceAuth=true
  3. In the travelocity.properties file, locate and uncomment the following value. Replace the tenant domain (tenant.domain) with your newly created tenant domain.
     Code Block
    #QueryParams=tenantDomain=tenant.domain
     Tip
    Tip: You can uncomment values in this file by removing the “#”.
  4. In order to enable response signature validation from the Travelocity side, first, you need to download the public certificate of the tenant. 
    1. Login using tenant credentials to the management console and navigate to Home > Manage > Keystores > List. Click on Public Key link to download the certificate.
    2. Now you need to import this public certificate to <APACHE_HOME>/webapps/travelocity.com/WEB-INF/classes/wso2carbon.jks file using the following command.
       Code Block
      keytool -import -alias <key_alias> -file <download_file> -keystore wso2carbon.jks
       Info
      Default password of the wso2carbon.jks is "wso2carbon"
    3. Update IdPPublicCertAlias property in the <APACHE_HOME>/webapps/travelocity.com/WEB-INF/classes/travelocity.properties with provided alias in the previous step.
       Info
      Also, it is possible to disable response signature validation from the Travelocity application using the SAML2.EnableResponseSigning property available in <APACHE_HOME>/webapps/travelocity.com/WEB-INF/classes/travelocity.properties file.
  5. If you made any changes to the port offset, you must ensure that this change is reflected in the port value of the following property.
     Code Block
    SAML.IdPUrl=https://localhost:9443/samlsso
  6. Restart Apache Tomcat and access the travelocity application. You will be able to log in using the identity provider credentials regardless of the tenant domain you are using. Access the travelocity application using the following: http://wso2is.local/travelocity.com/index.jsp
 Panel
titleRelated links
The following links provide additional information that may be relevant when attempting the instructions in this topic.