Content Comparison

Single sign-on is a key feature of the WSO2 Identity Server that enables users to access multiple applications using the same set of credentials. Additionally, the user can access all these applications without having to log into each and every one of them individually. For instance, if users log into application A, they would automatically have access to application B as well for the duration of that session without having to re-enter their credentials.

...

Excerpt

To obtain and configure the single sign-on travelocity sample, follow the steps below.

You can check out the repository of the SSO sample from GitHub. Follow the instructions here to checkout the folder.

Open a terminal window and add the following entry to the /etc/hosts file of your machine to configure the hostname.

Info

title	Why is this step needed?

Some browsers do not allow you to create cookies for a naked hostname, such as localhost. Cookies are required when working with SSO. Therefore, to ensure that the SSO capabilities work as expected in this tutorial, you need to configure the etc/host file as explained in this step.

The etc/host file is a read-only file. Therefore, you won't be able to edit it by opening the file via a text editor. To avoid this, edit the file using the terminal commands.
For example, use the following command if you are working on a Mac/Linux environment.

Code Block
sudo nano /etc/hosts

Code Block

language	bash

127.0.0.1 	wso2is.local

Open the travelocity.properties file found in the IS_SAMPLES/modules/samples/sso/sso-agent-sample/src/main/resources directory of the samples folder you just checked out. Configure the following property with the hostname (wso2is.local) that you configured above.
Code Block
language text
#The URL of the SAML 2.0 Assertion Consumer SAML2.AssertionConsumerURL=http://wso2is.local:8080/travelocity.com/home.jsp
In your command line, navigate to <IS_SAMPLES>/modules/samples/sso/sso-agent-sample folder and build the sample using the following command. You must have Apache Maven installed to do this (see Installation Prerequisites for the appropriate version to use).
Code Block
mvn clean install
After successfully building the sample, a .war file named travelocity.com can be found inside the <HOME>/sso/sso-agent-sample/ target folder. Deploy this sample web app on a web container. To do this, use the Apache Tomcat server.
Note
Since this sample is written based on Servlet 3.0 it needs to be deployed on Tomcat 7.x.
Use the following steps to deploy the web app in the web container:
1. Stop the Apache Tomcat server if it is already running.
2. Copy the travelocity.com.war file to the <TOMCAT_HOME>/webapps folder.
3. Start the Apache Tomcat server.

Tip

Tip: If you wish to change properties like the issuer ID, consumer URL, and IdP URL, you can edit the travelocity.properties file found in the travelocity.com/WEB-INF/classes directory. Also if the service provider is configured in a tenant you can use "QueryParams" property to send the tenant domain. As an example "QueryParams=tenantDomain=wso2.com".

This sample uses the following default values.

Properties	Description
`SAML2.SPEntityId=travelocity.com`	A unique identifier for this SAML 2.0 Service Provider application
`SAML2.AssertionConsumerURL= http://wso2is.local:8080/travelocity.com/home.jsp`	The URL of the SAML 2.0 Assertion Consumer
`SAML2.IdPEntityId=localhost`	The unique identifier for this SAML 2.0 Service Provider application. Note: If you are updating the value, make sure to define the same value for the Identity Provider Entity Id of the Resident IdP. Follow the steps given below: Sign in to the management console. Click Resident under Identity Providers. Expand Inbound Authentication Configurations and expand SAML2 Web SSO Configurations. Enter the same value you defined for `SAML2.IdPEntityId` as the value for Identity Provider Entity ID.
`SAML2.IdPURL= https://localhost:9443/samlsso`	The URL of the SAML 2.0 Identity Provider
`SAML2.IsPassiveAuthn=false`	Set this to send SAML2 passive authentication requests

If you edit the travelocity.properties file, you must restart the Apache Tomcat server for the changes to take effect.

Now the web application is successfully deployed on a web container.

...

Field Description Sample Value

Issuer

This is the entity ID for the SAML2 service provider

Info
This value should be same as the `SAML2.SPEntityId` value specified inside the `travelocity.com/WEB-INF/classes/travelocity.properties` file.

travelocity.com

Assertion Consumer URLs

This is the Assertion Consumer Service (ACS) URL of the service provider. The identity provider redirects the SAML2 response to this ACS URL. However, if the SAML2 request is signed and SAML2 request contains the ACS URL, the Identity Server will honor the ACS URL of the SAML2 request.

Info
This value should be same as the `SAML2.AssertionConsumerURL` value mentioned inside the `travelocity.com/WEB-INF/classes/travelocity.properties` file.

Enter this value: http://wso2is.local:8080/travelocity.com/home.jsp and click Add.

Default Assertion Consumer URL This must be the same value defined above. If you have defined multiple Assertion Consumer URLs, this value must be the same as the SAML2.AssertionConsumerURL value mentioned inside the travelocity.com/WEB-INF/classes/travelocity.properties file as that is the default.

NameID format The service provider and identity provider usually communicate with each other regarding a specific subject. That subject should be identified through a Name-Identifier (NameID) , which should be in some format so that It is easy for the other party to identify it based on the format. There are some formats that are defined by SAML2 specification. Enter the default value of this format (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Certificate Alias

This is used to validate the signature of SAML2 requests and is used to generate encryption.

Select wso2carbon

In a tenant : Select the Certificate Alias with tenant domain name

Response Signing Algorithm

Specifies the ‘SignatureMethod’ algorithm to be used in the ‘Signature’ element in POST binding. The default value can be configured in the<IS_HOME>/repository/conf/identity/identity.xml file, in the SSOService element with SAMLDefaultSigningAlgorithmURI tag. If it is not provided, the default algorithm is RSASHA 1, at URI ‘http://www.w3.org/2000/09/xmldsig#rsasha1’.

http://www.w3.org/2000/09/xmldsig#rsasha1

Response Digest Algorithm

Specifies the ‘DigestMethod’ algorithm to be used in the ‘Signature’ element in POST binding. The default value can be configured in the<IS_HOME>/repository/conf/identity/identity.xml file, in the SSOService element with SAMLDefaultDigestAlgorithmURI tag. If it is not provided the default algorithm is SHA 1, at URI ‘http://www.w3.org/2000/09/xmldsig#sha1’.

http://www.w3.org/2000/09/xmldsig#sha1

Enable Response Signing

This is used to sign the SAML2 Responses returned after the authentication process is complete.

Set as true by selecting the checkbox

Enable Signature Validation in Authentication Requests and Logout Requests This specifies whether the identity provider must validate the signature of the SAML2 authentication request and the SAML2 logout request that are sent by the service provider. Leave unchecked for travelocity sample

Enable Assertion Encryption This defines whether the SAML2 assertion must be encrypted or not. Leave unchecked for travelocity sample

Enable Single Logout Enable this to ensure that all sessions are terminated once the user signs out from one server. Set this as true by selecting the checkbox

SLO Response URL If the service provider has a different endpoint that accepts the single logout response other than the assertion consumer URL, you can provide that endpoint value here.

SLO Request URL If the service provider has a different endpoint that accepts single logout requests from the identity server other than the assertion consumer URL, you can provide that endpoint value here.

Logout Method

Warning

To configure SAML Back-Channel Logout and SAML Front-Channel Logout described below, apply the 3904 WUM update to WSO2 IS 5.3.0 using the WSO2 Update Manager (WUM). To deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM in the WSO2 Administration Guide.

SAML single logout is supported by both SAML Back-Channel Logout and SAML Front-Channel Logout methods. By default, when you select Enable Single Logout, it will enable Back-Channel Logout . In order to enable SAML Front-Channel Logout, you can either select Front-Channel Logout (HTTP Redirect Binding) or Front-Channel Logout (HTTP POST Binding) .

Select Back-Channel Logout for travelocity sample

Enable Attribute Profile The Identity Server supports a basic attribute profile where the identity provider can include the user’s attributes in the SAML Assertions as an attribute statement. You can define the claims that must be included under service provider claim configurations. Also, once you select the “Include Attributes in the Response Always” checkbox, the identity provider always includes the attribute values related to selected claims in the SAML Attribute statement. Leave unchecked for travelocity sample

Enable Audience Restriction You can define multiple audiences in the SAML Assertion. Configured audiences would be added to the SAML2 Assertion. Leave unchecked for travelocity sample

Enable IdP Initiated SSO

Depending on your application flow you can choose whether to enable IdP initiated SSO. The IdP initiated SSO profile enables to start an authentication flow by sending a GET request to the Identity server with the following format.

https://{Hostname}:{Port}/samlsso?spEntityID={SAML2 SSO Issuer name}

Note

If your SAML2 SSO issuer has been configured in any other separate tenant other than the super tenant, then you need to append the tenantDomain parameter as well.

If the tenant domain is soasecurity.org, the GET request would be as follows: https://localhost:9443/samlsso?spEntityID=travelocity.com&tenantDomain=soasecurity.org

Leave unchecked for travelocity sample

Enable IdP initiated SLO

The Identity Server facilitates IdP initiated SAML2 single log out requests. This is useful if the application can not manage the session index received with the SAML response and still wants to perform log out. The following parameters can be used with the IdP initiated SLO request:

slo (mandatory parameter) - Must have the value true to mark the request as an IdP initiated logout request
spEntityID (optional) - Value of the parameter should be the SAML issuer name as in the Issuer field in the SAML service provider configuration UI.

returnTo (optional) - Value of the parameter should be the URL that the user needs to be redirected to after the logout.

Note

If this parameter is present in the request, then the spEntityID parameter must also be present.
Since this needs to be a trusted location, the value that comes with the request must match with one of the assertion consumer URLs or returnTo ULRs of the service provider.

Example of a returnTo URL: https://wso2is.local:8080/avs.com/slo

Leave unchecked for travelocity sample

Enable Assertion Query Request Profile Enable Assertion Query Request Profile can used for query assertions following SAML2.0 specification. This can query assertions that are persisted to the database when you login to the service provider application. For more information, see Querying SAML Assertions. Leave unchecked for travelocity sample

...

Version	Old Version 98	New Version Current
Changes made by	Gomathy Kumarakuruparan	Gomathy Kumarakuruparan
Saved on	Jun 27, 2019	Jun 27, 2019

Versions Compared

Key